The gcp:organizations/iAMPolicy:IAMPolicy resource, part of the Pulumi GCP provider, manages IAM access control at the organization level through four distinct resources. IAMPolicy performs full policy replacement (high risk), IAMBinding controls all members for a specific role, IAMMember adds individual grants incrementally, and IamAuditConfig enables audit logging. This guide focuses on four capabilities: individual member grants, role-level member lists, time-limited access with IAM Conditions, and audit logging.
These resources require an organization ID and reference user accounts or service accounts. The examples are intentionally small. Combine them with your own identity management and compliance requirements.
Grant a single member access to a role
Most IAM configurations add individual users or service accounts to roles incrementally, preserving existing access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const organization = new gcp.organizations.IAMMember("organization", {
orgId: "1234567890",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
organization = gcp.organizations.IAMMember("organization",
org_id="1234567890",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.NewIAMMember(ctx, "organization", &organizations.IAMMemberArgs{
OrgId: pulumi.String("1234567890"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var organization = new Gcp.Organizations.IAMMember("organization", new()
{
OrgId = "1234567890",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMMember;
import com.pulumi.gcp.organizations.IAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var organization = new IAMMember("organization", IAMMemberArgs.builder()
.orgId("1234567890")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
organization:
type: gcp:organizations:IAMMember
properties:
orgId: '1234567890'
role: roles/editor
member: user:jane@example.com
The IAMMember resource adds one member to one role without affecting other members or roles. The member property uses the format “user:email@example.com” for users or “serviceAccount:name@project.iam.gserviceaccount.com” for service accounts. This non-authoritative approach lets multiple IAMMember resources manage the same role safely.
Define all members for a specific role
When you need complete control over who has a particular role, IAMBinding replaces the entire member list authoritatively.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const organization = new gcp.organizations.IAMBinding("organization", {
orgId: "1234567890",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
organization = gcp.organizations.IAMBinding("organization",
org_id="1234567890",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.NewIAMBinding(ctx, "organization", &organizations.IAMBindingArgs{
OrgId: pulumi.String("1234567890"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var organization = new Gcp.Organizations.IAMBinding("organization", new()
{
OrgId = "1234567890",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMBinding;
import com.pulumi.gcp.organizations.IAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var organization = new IAMBinding("organization", IAMBindingArgs.builder()
.orgId("1234567890")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
organization:
type: gcp:organizations:IAMBinding
properties:
orgId: '1234567890'
role: roles/editor
members:
- user:jane@example.com
The IAMBinding resource sets the complete member list for one role, removing any members not in the list. The members property takes an array of identity strings. This authoritative approach ensures only specified members have the role, but it will remove existing members not included in your configuration.
Add time-limited access with IAM Conditions
Temporary access grants expire automatically when you attach IAM Conditions that evaluate timestamps.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const organization = new gcp.organizations.IAMMember("organization", {
orgId: "1234567890",
role: "roles/editor",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
organization = gcp.organizations.IAMMember("organization",
org_id="1234567890",
role="roles/editor",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.NewIAMMember(ctx, "organization", &organizations.IAMMemberArgs{
OrgId: pulumi.String("1234567890"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
Condition: &organizations.IAMMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var organization = new Gcp.Organizations.IAMMember("organization", new()
{
OrgId = "1234567890",
Role = "roles/editor",
Member = "user:jane@example.com",
Condition = new Gcp.Organizations.Inputs.IAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMMember;
import com.pulumi.gcp.organizations.IAMMemberArgs;
import com.pulumi.gcp.organizations.inputs.IAMMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var organization = new IAMMember("organization", IAMMemberArgs.builder()
.orgId("1234567890")
.role("roles/editor")
.member("user:jane@example.com")
.condition(IAMMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
organization:
type: gcp:organizations:IAMMember
properties:
orgId: '1234567890'
role: roles/editor
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal constraints to role grants. The expression property uses Common Expression Language (CEL) to compare request.time against a timestamp. When the condition evaluates to false, the member loses access automatically. The title and description properties document the condition’s purpose.
Enable audit logging for organization activity
Compliance teams track organization-level actions by configuring audit logs that capture admin operations and data access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const organization = new gcp.organizations.IamAuditConfig("organization", {
orgId: "1234567890",
service: "allServices",
auditLogConfigs: [
{
logType: "ADMIN_READ",
},
{
logType: "DATA_READ",
exemptedMembers: ["user:joebloggs@example.com"],
},
],
});
import pulumi
import pulumi_gcp as gcp
organization = gcp.organizations.IamAuditConfig("organization",
org_id="1234567890",
service="allServices",
audit_log_configs=[
{
"log_type": "ADMIN_READ",
},
{
"log_type": "DATA_READ",
"exempted_members": ["user:joebloggs@example.com"],
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.NewIamAuditConfig(ctx, "organization", &organizations.IamAuditConfigArgs{
OrgId: pulumi.String("1234567890"),
Service: pulumi.String("allServices"),
AuditLogConfigs: organizations.IamAuditConfigAuditLogConfigArray{
&organizations.IamAuditConfigAuditLogConfigArgs{
LogType: pulumi.String("ADMIN_READ"),
},
&organizations.IamAuditConfigAuditLogConfigArgs{
LogType: pulumi.String("DATA_READ"),
ExemptedMembers: pulumi.StringArray{
pulumi.String("user:joebloggs@example.com"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var organization = new Gcp.Organizations.IamAuditConfig("organization", new()
{
OrgId = "1234567890",
Service = "allServices",
AuditLogConfigs = new[]
{
new Gcp.Organizations.Inputs.IamAuditConfigAuditLogConfigArgs
{
LogType = "ADMIN_READ",
},
new Gcp.Organizations.Inputs.IamAuditConfigAuditLogConfigArgs
{
LogType = "DATA_READ",
ExemptedMembers = new[]
{
"user:joebloggs@example.com",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IamAuditConfig;
import com.pulumi.gcp.organizations.IamAuditConfigArgs;
import com.pulumi.gcp.organizations.inputs.IamAuditConfigAuditLogConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var organization = new IamAuditConfig("organization", IamAuditConfigArgs.builder()
.orgId("1234567890")
.service("allServices")
.auditLogConfigs(
IamAuditConfigAuditLogConfigArgs.builder()
.logType("ADMIN_READ")
.build(),
IamAuditConfigAuditLogConfigArgs.builder()
.logType("DATA_READ")
.exemptedMembers("user:joebloggs@example.com")
.build())
.build());
}
}
resources:
organization:
type: gcp:organizations:IamAuditConfig
properties:
orgId: '1234567890'
service: allServices
auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
exemptedMembers:
- user:joebloggs@example.com
The IamAuditConfig resource enables Cloud Audit Logs for a service. The service property accepts “allServices” or specific service names like “compute.googleapis.com”. The auditLogConfigs array defines which log types to capture: ADMIN_READ for admin operations, DATA_READ for data access, DATA_WRITE for data modifications. The exemptedMembers property excludes specific identities from logging.
Beyond these examples
These snippets focus on specific organization IAM features: incremental and authoritative role assignment, time-based access with IAM Conditions, and audit logging configuration. They’re intentionally minimal rather than full access control systems.
The examples require pre-existing infrastructure such as a GCP organization with numeric org ID, and user accounts and service accounts to grant access to. They focus on configuring IAM policies rather than provisioning the underlying identity infrastructure.
To keep things focused, common organization IAM patterns are omitted, including:
- IAMPolicy for complete policy replacement (high risk of lockout)
- Custom role definitions and role hierarchies
- Workload Identity and service account impersonation
- Organization policy constraints and guardrails
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Organizations IAMPolicy resource reference for all available configuration options.
Let's manage GCP Organization IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Security & Access Control
role set to roles/owner, you must include a user or service account you have access to in the members list. Otherwise, you’ll lock yourself out of your organization.Resource Selection & Conflicts
Choose based on your management needs:
- IAMPolicy: Authoritative, replaces the entire policy. Use only for fully managed organizations.
- IAMBinding: Authoritative for a specific role, preserves other roles. Safest for most use cases.
- IAMMember: Non-authoritative, adds individual members without affecting others.
- IamAuditConfig: Authoritative for audit logging on a specific service.
Configuration & Features
condition block with title, description, and expression fields. For example, to expire access at midnight on 2019-12-31, set expression to request.time < timestamp("2020-01-01T00:00:00Z").