Manage GCP Organization IAM Members

The gcp:organizations/iAMMember:IAMMember resource, part of the Pulumi GCP provider, grants a single identity access to an organization-level role without affecting other members who already have that role. This guide focuses on two capabilities: adding individual members to roles and configuring time-limited access with IAM Conditions.

IAMMember is non-authoritative: it adds one member to a role without replacing existing members. It requires an existing GCP organization and the identities you want to grant access to. The examples are intentionally small. Combine them with your own organization structure and access policies.

Grant a role to a single member

Most IAM configurations add a specific user, service account, or group to a role without affecting other members.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const organization = new gcp.organizations.IAMMember("organization", {
    orgId: "1234567890",
    role: "roles/editor",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

organization = gcp.organizations.IAMMember("organization",
    org_id="1234567890",
    role="roles/editor",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := organizations.NewIAMMember(ctx, "organization", &organizations.IAMMemberArgs{
			OrgId:  pulumi.String("1234567890"),
			Role:   pulumi.String("roles/editor"),
			Member: pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var organization = new Gcp.Organizations.IAMMember("organization", new()
    {
        OrgId = "1234567890",
        Role = "roles/editor",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMMember;
import com.pulumi.gcp.organizations.IAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var organization = new IAMMember("organization", IAMMemberArgs.builder()
            .orgId("1234567890")
            .role("roles/editor")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  organization:
    type: gcp:organizations:IAMMember
    properties:
      orgId: '1234567890'
      role: roles/editor
      member: user:jane@example.com

The member property specifies the identity to grant access to, using formats like user:jane@example.com, serviceAccount:app@project.iam.gserviceaccount.com, or group:admins@example.com. The role property defines the permission set. IAMMember preserves other members who already have this role, unlike IAMBinding which replaces the entire member list.

Grant time-limited access with IAM Conditions

Temporary access grants expire automatically when conditions evaluate to false, eliminating manual cleanup.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const organization = new gcp.organizations.IAMMember("organization", {
    orgId: "1234567890",
    role: "roles/editor",
    member: "user:jane@example.com",
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp

organization = gcp.organizations.IAMMember("organization",
    org_id="1234567890",
    role="roles/editor",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := organizations.NewIAMMember(ctx, "organization", &organizations.IAMMemberArgs{
			OrgId:  pulumi.String("1234567890"),
			Role:   pulumi.String("roles/editor"),
			Member: pulumi.String("user:jane@example.com"),
			Condition: &organizations.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var organization = new Gcp.Organizations.IAMMember("organization", new()
    {
        OrgId = "1234567890",
        Role = "roles/editor",
        Member = "user:jane@example.com",
        Condition = new Gcp.Organizations.Inputs.IAMMemberConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMMember;
import com.pulumi.gcp.organizations.IAMMemberArgs;
import com.pulumi.gcp.organizations.inputs.IAMMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var organization = new IAMMember("organization", IAMMemberArgs.builder()
            .orgId("1234567890")
            .role("roles/editor")
            .member("user:jane@example.com")
            .condition(IAMMemberConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());

    }
}

resources:
  organization:
    type: gcp:organizations:IAMMember
    properties:
      orgId: '1234567890'
      role: roles/editor
      member: user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

The condition block adds temporal or contextual constraints to the role grant. The expression property uses Common Expression Language (CEL) to define when access is valid. Here, request.time < timestamp("2020-01-01T00:00:00Z") automatically revokes access after December 31, 2019. The title property uniquely identifies the condition; description provides human-readable context.

Beyond these examples

These snippets focus on specific IAMMember features: single-member role grants and time-based access expiration. They’re intentionally minimal rather than full access control systems.

The examples require pre-existing infrastructure such as a GCP organization with numeric ID, and user accounts, service accounts, or groups to grant access to. They focus on granting individual member access rather than managing complete IAM policies.

To keep things focused, common organization IAM patterns are omitted, including:

Multi-member role grants (IAMBinding)
Full policy replacement (IAMPolicy)
Audit logging configuration (IamAuditConfig)
Custom role definitions and formatting

These omissions are intentional: the goal is to illustrate how IAMMember grants are wired, not provide drop-in access control modules. See the Organizations IAMMember resource reference for all available configuration options.

Let's manage GCP Organization IAM Members

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Compatibility

What's the difference between IAMPolicy, IAMBinding, and IAMMember?

IAMPolicy is authoritative and replaces the entire policy. IAMBinding is authoritative for a given role, preserving other roles. IAMMember is non-authoritative, adding a single member to a role while preserving other members.

Which IAM resources can I use together?

IAMPolicy cannot be used with IAMBinding, IAMMember, or IamAuditConfig (they will conflict). IAMBinding and IAMMember can be used together only if they don’t grant privilege to the same role.

Access Control Risks

How can I avoid locking myself out of my organization?

When using IAMPolicy, start by importing your existing policy and examine the diff carefully; new organizations have default policies that will be overwritten. When using IAMBinding with roles/owner, always include a user or service account you have access to in members.

Why is IAMBinding safer than IAMPolicy?

IAMPolicy overwrites the entire policy, including default policies on new organizations. This can lock you out, requiring a call to Google Support (multiple days to resolve). IAMBinding preserves other roles and is the recommended approach.

Configuration & Syntax

What formats can I use for the member parameter?

Four formats are supported: user:{emailid} (e.g., alice@gmail.com), serviceAccount:{emailid} (e.g., my-app@appspot.gserviceaccount.com), group:{emailid} (e.g., admins@example.com), and domain:{domain} (e.g., example.com).

How do I specify a custom role?

Custom roles must use the format organizations/{{org_id}}/roles/{{role_id}}.

How do I add time-based or conditional access?

Use the condition block with title, description, and expression. For example, to expire access at midnight on 2019-12-31, use: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")".

Resource Lifecycle

What properties are immutable after creation?

All core properties are immutable: member, orgId, role, and condition. Changes to these require resource replacement.

How do I import a binding with a condition?

Include the condition title in the import command: terraform import google_organization_iam_binding.my_organization "your-org-id roles/{{role_id}} condition-title".

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides