The gcp:secretmanager/regionalSecretIamBinding:RegionalSecretIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for regional secrets by granting a specific role to a list of members. This guide focuses on three capabilities: granting roles to multiple members, adding individual members non-authoritatively, and applying time-based access with IAM Conditions.
IAM bindings reference existing regional secrets and require IAM Conditions to be enabled for conditional access. The examples are intentionally small. Combine them with your own secret resources and identity management strategy.
Grant a role to multiple members at once
Teams managing access often need to assign the same role to multiple users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.secretmanager.RegionalSecretIamBinding("binding", {
project: regional_secret_basic.project,
location: regional_secret_basic.location,
secretId: regional_secret_basic.secretId,
role: "roles/secretmanager.secretAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.secretmanager.RegionalSecretIamBinding("binding",
project=regional_secret_basic["project"],
location=regional_secret_basic["location"],
secret_id=regional_secret_basic["secretId"],
role="roles/secretmanager.secretAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretmanager.NewRegionalSecretIamBinding(ctx, "binding", &secretmanager.RegionalSecretIamBindingArgs{
Project: pulumi.Any(regional_secret_basic.Project),
Location: pulumi.Any(regional_secret_basic.Location),
SecretId: pulumi.Any(regional_secret_basic.SecretId),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecretManager.RegionalSecretIamBinding("binding", new()
{
Project = regional_secret_basic.Project,
Location = regional_secret_basic.Location,
SecretId = regional_secret_basic.SecretId,
Role = "roles/secretmanager.secretAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBinding;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RegionalSecretIamBinding("binding", RegionalSecretIamBindingArgs.builder()
.project(regional_secret_basic.project())
.location(regional_secret_basic.location())
.secretId(regional_secret_basic.secretId())
.role("roles/secretmanager.secretAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:secretmanager:RegionalSecretIamBinding
properties:
project: ${["regional-secret-basic"].project}
location: ${["regional-secret-basic"].location}
secretId: ${["regional-secret-basic"].secretId}
role: roles/secretmanager.secretAccessor
members:
- user:jane@example.com
The RegionalSecretIamBinding resource is authoritative for the specified role, meaning it replaces any existing members for that role. The members array accepts user emails, service accounts, groups, and special identifiers like allAuthenticatedUsers. The secretId, location, and project properties identify which regional secret receives the binding.
Add a single member to an existing role
When onboarding new team members, you often need to add one identity without affecting existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.secretmanager.RegionalSecretIamMember("member", {
project: regional_secret_basic.project,
location: regional_secret_basic.location,
secretId: regional_secret_basic.secretId,
role: "roles/secretmanager.secretAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.secretmanager.RegionalSecretIamMember("member",
project=regional_secret_basic["project"],
location=regional_secret_basic["location"],
secret_id=regional_secret_basic["secretId"],
role="roles/secretmanager.secretAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretmanager.NewRegionalSecretIamMember(ctx, "member", &secretmanager.RegionalSecretIamMemberArgs{
Project: pulumi.Any(regional_secret_basic.Project),
Location: pulumi.Any(regional_secret_basic.Location),
SecretId: pulumi.Any(regional_secret_basic.SecretId),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.SecretManager.RegionalSecretIamMember("member", new()
{
Project = regional_secret_basic.Project,
Location = regional_secret_basic.Location,
SecretId = regional_secret_basic.SecretId,
Role = "roles/secretmanager.secretAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.RegionalSecretIamMember;
import com.pulumi.gcp.secretmanager.RegionalSecretIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RegionalSecretIamMember("member", RegionalSecretIamMemberArgs.builder()
.project(regional_secret_basic.project())
.location(regional_secret_basic.location())
.secretId(regional_secret_basic.secretId())
.role("roles/secretmanager.secretAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:secretmanager:RegionalSecretIamMember
properties:
project: ${["regional-secret-basic"].project}
location: ${["regional-secret-basic"].location}
secretId: ${["regional-secret-basic"].secretId}
role: roles/secretmanager.secretAccessor
member: user:jane@example.com
The RegionalSecretIamMember resource is non-authoritative, meaning it adds a single member to a role without removing others. This approach works well when multiple teams manage access independently. Use member (singular) instead of members (plural) to specify the identity.
Apply time-based access with IAM Conditions
Temporary access grants, such as contractor permissions, require conditions that automatically expire.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.secretmanager.RegionalSecretIamBinding("binding", {
project: regional_secret_basic.project,
location: regional_secret_basic.location,
secretId: regional_secret_basic.secretId,
role: "roles/secretmanager.secretAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.secretmanager.RegionalSecretIamBinding("binding",
project=regional_secret_basic["project"],
location=regional_secret_basic["location"],
secret_id=regional_secret_basic["secretId"],
role="roles/secretmanager.secretAccessor",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretmanager.NewRegionalSecretIamBinding(ctx, "binding", &secretmanager.RegionalSecretIamBindingArgs{
Project: pulumi.Any(regional_secret_basic.Project),
Location: pulumi.Any(regional_secret_basic.Location),
SecretId: pulumi.Any(regional_secret_basic.SecretId),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &secretmanager.RegionalSecretIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecretManager.RegionalSecretIamBinding("binding", new()
{
Project = regional_secret_basic.Project,
Location = regional_secret_basic.Location,
SecretId = regional_secret_basic.SecretId,
Role = "roles/secretmanager.secretAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.SecretManager.Inputs.RegionalSecretIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBinding;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBindingArgs;
import com.pulumi.gcp.secretmanager.inputs.RegionalSecretIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RegionalSecretIamBinding("binding", RegionalSecretIamBindingArgs.builder()
.project(regional_secret_basic.project())
.location(regional_secret_basic.location())
.secretId(regional_secret_basic.secretId())
.role("roles/secretmanager.secretAccessor")
.members("user:jane@example.com")
.condition(RegionalSecretIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:secretmanager:RegionalSecretIamBinding
properties:
project: ${["regional-secret-basic"].project}
location: ${["regional-secret-basic"].location}
secretId: ${["regional-secret-basic"].secretId}
role: roles/secretmanager.secretAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal constraints to role bindings. The expression property uses Common Expression Language (CEL) to define when access is valid. Here, request.time < timestamp(“2020-01-01T00:00:00Z”) grants access until midnight on December 31, 2019. The title and description properties document the condition’s purpose.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control (binding vs member) and IAM Conditions for time-based access. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as regional secrets (referenced but not created) and GCP projects with IAM Conditions enabled. They focus on configuring access rather than provisioning secrets or managing projects.
To keep things focused, common IAM patterns are omitted, including:
- Policy-level management (RegionalSecretIamPolicy)
- Custom role definitions and formatting
- Federated identity and workload identity principals
- Conflict resolution between Policy, Binding, and Member resources
These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the Regional Secret IAM Binding resource reference for all available configuration options.
Let's manage GCP Secret Manager IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
What's the difference between RegionalSecretIamPolicy, RegionalSecretIamBinding, and RegionalSecretIamMember?
RegionalSecretIamPolicy is authoritative and replaces the entire IAM policy. RegionalSecretIamBinding is authoritative for a specific role, managing all members for that role while preserving other roles. RegionalSecretIamMember is non-authoritative, adding individual members without affecting other members for the same role.Can I use multiple IAM resource types together?
RegionalSecretIamPolicy cannot be used with RegionalSecretIamBinding or RegionalSecretIamMember as they will conflict. However, RegionalSecretIamBinding and RegionalSecretIamMember can be used together only if they don’t grant privileges to the same role.Why am I getting IAM policy conflicts?
You’re likely mixing
RegionalSecretIamPolicy with RegionalSecretIamBinding or RegionalSecretIamMember, or using RegionalSecretIamBinding and RegionalSecretIamMember for the same role. Choose one approach or ensure different roles are targeted.IAM Configuration & Members
What member identity formats are supported?
Multiple formats are supported:
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities (e.g., principal://iam.googleapis.com/...).How do I specify a custom IAM role?
Custom roles must use the format
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Can I use multiple RegionalSecretIamBinding resources for the same secret?
Yes, but only one
RegionalSecretIamBinding per role. Each binding manages all members for a specific role, so you can have multiple bindings for different roles on the same secret.Conditions & Advanced Features
How do I add time-based or conditional access restrictions?
Use the
condition property with title, description, and expression fields. For example, to expire access: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")".What are the limitations of IAM Conditions?
IAM Conditions have known limitations documented by Google Cloud. Review the limitations before implementing conditions, as they may affect certain use cases or configurations.
Resource Properties & Immutability
What properties can't be changed after creation?
The following properties are immutable:
location, role, secretId, project, and condition. Changing any of these requires recreating the resource.What location format should I use?
Use a regional location identifier like
us-central1. The location specifies where the regional secret is stored and must match the secret’s location.