The gcp:compute/regionBackendServiceIamPolicy:RegionBackendServiceIamPolicy resource, part of the Pulumi GCP provider, manages IAM access control for regional backend services. Three related resources provide different management approaches: RegionBackendServiceIamPolicy (authoritative, replaces entire policy), RegionBackendServiceIamBinding (authoritative for one role, preserves other roles), and RegionBackendServiceIamMember (non-authoritative, adds individual members). This guide focuses on four capabilities: authoritative policy replacement, role-level member binding, incremental member addition, and time-based access with IAM Conditions.
These resources reference existing regional backend services and require project/region configuration. The examples are intentionally small. Combine them with your own backend service infrastructure and organizational access patterns.
Replace the entire IAM policy with a new definition
When you need complete control over who can access a backend service, you can replace the entire IAM policy in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/compute.admin",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.compute.RegionBackendServiceIamPolicy("policy", {
project: _default.project,
region: _default.region,
name: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/compute.admin",
"members": ["user:jane@example.com"],
}])
policy = gcp.compute.RegionBackendServiceIamPolicy("policy",
project=default["project"],
region=default["region"],
name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/compute.admin",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewRegionBackendServiceIamPolicy(ctx, "policy", &compute.RegionBackendServiceIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Region: pulumi.Any(_default.Region),
Name: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/compute.admin",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Compute.RegionBackendServiceIamPolicy("policy", new()
{
Project = @default.Project,
Region = @default.Region,
Name = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.RegionBackendServiceIamPolicy;
import com.pulumi.gcp.compute.RegionBackendServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/compute.admin")
.members("user:jane@example.com")
.build())
.build());
var policy = new RegionBackendServiceIamPolicy("policy", RegionBackendServiceIamPolicyArgs.builder()
.project(default_.project())
.region(default_.region())
.name(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:RegionBackendServiceIamPolicy
properties:
project: ${default.project}
region: ${default.region}
name: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/compute.admin
members:
- user:jane@example.com
The RegionBackendServiceIamPolicy resource sets the complete IAM policy using policyData from the getIAMPolicy data source. This approach replaces any existing policy, making it authoritative. The bindings array in getIAMPolicy defines roles and their members; policyData serializes this into the format GCP expects.
Grant a role to multiple members at once
Teams often need to grant the same role to several users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.RegionBackendServiceIamBinding("binding", {
project: _default.project,
region: _default.region,
name: _default.name,
role: "roles/compute.admin",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.RegionBackendServiceIamBinding("binding",
project=default["project"],
region=default["region"],
name=default["name"],
role="roles/compute.admin",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewRegionBackendServiceIamBinding(ctx, "binding", &compute.RegionBackendServiceIamBindingArgs{
Project: pulumi.Any(_default.Project),
Region: pulumi.Any(_default.Region),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/compute.admin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.RegionBackendServiceIamBinding("binding", new()
{
Project = @default.Project,
Region = @default.Region,
Name = @default.Name,
Role = "roles/compute.admin",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionBackendServiceIamBinding;
import com.pulumi.gcp.compute.RegionBackendServiceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RegionBackendServiceIamBinding("binding", RegionBackendServiceIamBindingArgs.builder()
.project(default_.project())
.region(default_.region())
.name(default_.name())
.role("roles/compute.admin")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:RegionBackendServiceIamBinding
properties:
project: ${default.project}
region: ${default.region}
name: ${default.name}
role: roles/compute.admin
members:
- user:jane@example.com
The RegionBackendServiceIamBinding resource manages all members for a specific role. The members array lists everyone who should have this role; other roles in the policy remain unchanged. This is authoritative for the specified role but preserves other roles.
Add a single member to a role incrementally
When onboarding individual users or service accounts, you can add them to a role without affecting other members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.RegionBackendServiceIamMember("member", {
project: _default.project,
region: _default.region,
name: _default.name,
role: "roles/compute.admin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.RegionBackendServiceIamMember("member",
project=default["project"],
region=default["region"],
name=default["name"],
role="roles/compute.admin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewRegionBackendServiceIamMember(ctx, "member", &compute.RegionBackendServiceIamMemberArgs{
Project: pulumi.Any(_default.Project),
Region: pulumi.Any(_default.Region),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/compute.admin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.RegionBackendServiceIamMember("member", new()
{
Project = @default.Project,
Region = @default.Region,
Name = @default.Name,
Role = "roles/compute.admin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionBackendServiceIamMember;
import com.pulumi.gcp.compute.RegionBackendServiceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RegionBackendServiceIamMember("member", RegionBackendServiceIamMemberArgs.builder()
.project(default_.project())
.region(default_.region())
.name(default_.name())
.role("roles/compute.admin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:RegionBackendServiceIamMember
properties:
project: ${default.project}
region: ${default.region}
name: ${default.name}
role: roles/compute.admin
member: user:jane@example.com
The RegionBackendServiceIamMember resource grants a role to one member without replacing existing members. The member property specifies a single identity (user, service account, or group). Multiple RegionBackendServiceIamMember resources can manage the same role, making this approach non-authoritative and composable.
Apply time-based access with IAM Conditions
Access requirements sometimes include expiration dates or other constraints.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/compute.admin",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.compute.RegionBackendServiceIamPolicy("policy", {
project: _default.project,
region: _default.region,
name: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/compute.admin",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.compute.RegionBackendServiceIamPolicy("policy",
project=default["project"],
region=default["region"],
name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/compute.admin",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewRegionBackendServiceIamPolicy(ctx, "policy", &compute.RegionBackendServiceIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Region: pulumi.Any(_default.Region),
Name: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/compute.admin",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Compute.RegionBackendServiceIamPolicy("policy", new()
{
Project = @default.Project,
Region = @default.Region,
Name = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.RegionBackendServiceIamPolicy;
import com.pulumi.gcp.compute.RegionBackendServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/compute.admin")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new RegionBackendServiceIamPolicy("policy", RegionBackendServiceIamPolicyArgs.builder()
.project(default_.project())
.region(default_.region())
.name(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:RegionBackendServiceIamPolicy
properties:
project: ${default.project}
region: ${default.region}
name: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/compute.admin
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal or attribute-based logic to role bindings. The expression property uses Common Expression Language (CEL) to define when the binding applies; here, it expires at midnight on 2020-01-01. The title and description provide human-readable context. IAM Conditions work with all three resource types (Policy, Binding, Member) but have known limitations documented by Google Cloud.
Beyond these examples
These snippets focus on specific IAM management features: authoritative and non-authoritative IAM management, and IAM Conditions for time-based access. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as regional backend services, and GCP project and region configuration. They focus on IAM policy configuration rather than provisioning the backend services themselves.
To keep things focused, common IAM patterns are omitted, including:
- Combining Policy with Binding or Member resources (causes conflicts)
- Using Binding and Member for the same role (causes conflicts)
- Custom role definitions and organization-level roles
- IAM Conditions limitations and workarounds
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the RegionBackendServiceIamPolicy resource reference for all available configuration options.
Let's manage GCP Region Backend Service IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
Which IAM resource should I use for managing backend service permissions?
Choose based on your needs:
RegionBackendServiceIamPolicysets the entire IAM policy (authoritative, replaces existing policy)RegionBackendServiceIamBindingmanages all members for a specific role (authoritative for that role, preserves other roles)RegionBackendServiceIamMemberadds individual members to a role (non-authoritative, preserves other members)
Can I use multiple IAM resource types together?
RegionBackendServiceIamPolicy cannot be used with RegionBackendServiceIamBinding or RegionBackendServiceIamMember as they will conflict. However, RegionBackendServiceIamBinding and RegionBackendServiceIamMember can be used together if they don’t grant privileges to the same role.Configuration & Setup
How do I generate the policyData for RegionBackendServiceIamPolicy?
Use the
gcp.organizations.getIAMPolicy data source to generate policyData. Pass the resulting policyData output to your RegionBackendServiceIamPolicy resource.How do I add IAM Conditions to restrict access by time or other criteria?
Add a
condition block with title, description, and expression fields to your binding or member resource. Note that IAM Conditions have known limitations that may affect certain use cases.Resource Properties
What properties can't be changed after creation?
The
name, project, and region properties are immutable and cannot be modified after the resource is created.What import formats are supported?
Four formats are supported:
projects/{{project}}/regions/{{region}}/backendServices/{{name}}, {{project}}/{{region}}/{{name}}, {{region}}/{{name}}, or just {{name}}. Variables not provided in the import command are taken from the provider configuration.