The gcp:secretmanager/regionalSecretIamBinding:RegionalSecretIamBinding resource, part of the Pulumi GCP provider, manages IAM access to regional secrets by granting roles to lists of members. This guide focuses on three capabilities: granting roles to multiple members, adding time-based access with IAM Conditions, and adding individual members non-authoritatively.
These resources reference existing regional secrets and grant access to users, service accounts, or groups. The examples are intentionally small. Combine them with your own secret definitions and organizational identity management.
Grant a role to multiple members at once
When managing secret access, teams often need to grant the same role to multiple users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.secretmanager.RegionalSecretIamBinding("binding", {
project: regional_secret_basic.project,
location: regional_secret_basic.location,
secretId: regional_secret_basic.secretId,
role: "roles/secretmanager.secretAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.secretmanager.RegionalSecretIamBinding("binding",
project=regional_secret_basic["project"],
location=regional_secret_basic["location"],
secret_id=regional_secret_basic["secretId"],
role="roles/secretmanager.secretAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretmanager.NewRegionalSecretIamBinding(ctx, "binding", &secretmanager.RegionalSecretIamBindingArgs{
Project: pulumi.Any(regional_secret_basic.Project),
Location: pulumi.Any(regional_secret_basic.Location),
SecretId: pulumi.Any(regional_secret_basic.SecretId),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecretManager.RegionalSecretIamBinding("binding", new()
{
Project = regional_secret_basic.Project,
Location = regional_secret_basic.Location,
SecretId = regional_secret_basic.SecretId,
Role = "roles/secretmanager.secretAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBinding;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RegionalSecretIamBinding("binding", RegionalSecretIamBindingArgs.builder()
.project(regional_secret_basic.project())
.location(regional_secret_basic.location())
.secretId(regional_secret_basic.secretId())
.role("roles/secretmanager.secretAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:secretmanager:RegionalSecretIamBinding
properties:
project: ${["regional-secret-basic"].project}
location: ${["regional-secret-basic"].location}
secretId: ${["regional-secret-basic"].secretId}
role: roles/secretmanager.secretAccessor
members:
- user:jane@example.com
The RegionalSecretIamBinding resource is authoritative for a single role: it replaces the entire member list whenever you update the members property. The role property specifies which permission to grant (here, secretAccessor allows reading secret values). The members array accepts user emails, service account emails, groups, and special identifiers like allAuthenticatedUsers.
Add time-based access with IAM Conditions
Temporary access grants expire automatically when you attach IAM Conditions to bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.secretmanager.RegionalSecretIamBinding("binding", {
project: regional_secret_basic.project,
location: regional_secret_basic.location,
secretId: regional_secret_basic.secretId,
role: "roles/secretmanager.secretAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.secretmanager.RegionalSecretIamBinding("binding",
project=regional_secret_basic["project"],
location=regional_secret_basic["location"],
secret_id=regional_secret_basic["secretId"],
role="roles/secretmanager.secretAccessor",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretmanager.NewRegionalSecretIamBinding(ctx, "binding", &secretmanager.RegionalSecretIamBindingArgs{
Project: pulumi.Any(regional_secret_basic.Project),
Location: pulumi.Any(regional_secret_basic.Location),
SecretId: pulumi.Any(regional_secret_basic.SecretId),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &secretmanager.RegionalSecretIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecretManager.RegionalSecretIamBinding("binding", new()
{
Project = regional_secret_basic.Project,
Location = regional_secret_basic.Location,
SecretId = regional_secret_basic.SecretId,
Role = "roles/secretmanager.secretAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.SecretManager.Inputs.RegionalSecretIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBinding;
import com.pulumi.gcp.secretmanager.RegionalSecretIamBindingArgs;
import com.pulumi.gcp.secretmanager.inputs.RegionalSecretIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RegionalSecretIamBinding("binding", RegionalSecretIamBindingArgs.builder()
.project(regional_secret_basic.project())
.location(regional_secret_basic.location())
.secretId(regional_secret_basic.secretId())
.role("roles/secretmanager.secretAccessor")
.members("user:jane@example.com")
.condition(RegionalSecretIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:secretmanager:RegionalSecretIamBinding
properties:
project: ${["regional-secret-basic"].project}
location: ${["regional-secret-basic"].location}
secretId: ${["regional-secret-basic"].secretId}
role: roles/secretmanager.secretAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition property accepts a CEL expression that evaluates request context. Here, the expression checks whether the request timestamp is before midnight on January 1, 2020. When the condition evaluates to false, access is denied even though the role binding exists. The title and description fields help identify the condition’s purpose in audit logs.
Add a single member to an existing role
When you need to grant access to one additional user without affecting other members, use RegionalSecretIamMember.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.secretmanager.RegionalSecretIamMember("member", {
project: regional_secret_basic.project,
location: regional_secret_basic.location,
secretId: regional_secret_basic.secretId,
role: "roles/secretmanager.secretAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.secretmanager.RegionalSecretIamMember("member",
project=regional_secret_basic["project"],
location=regional_secret_basic["location"],
secret_id=regional_secret_basic["secretId"],
role="roles/secretmanager.secretAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretmanager.NewRegionalSecretIamMember(ctx, "member", &secretmanager.RegionalSecretIamMemberArgs{
Project: pulumi.Any(regional_secret_basic.Project),
Location: pulumi.Any(regional_secret_basic.Location),
SecretId: pulumi.Any(regional_secret_basic.SecretId),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.SecretManager.RegionalSecretIamMember("member", new()
{
Project = regional_secret_basic.Project,
Location = regional_secret_basic.Location,
SecretId = regional_secret_basic.SecretId,
Role = "roles/secretmanager.secretAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.RegionalSecretIamMember;
import com.pulumi.gcp.secretmanager.RegionalSecretIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RegionalSecretIamMember("member", RegionalSecretIamMemberArgs.builder()
.project(regional_secret_basic.project())
.location(regional_secret_basic.location())
.secretId(regional_secret_basic.secretId())
.role("roles/secretmanager.secretAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:secretmanager:RegionalSecretIamMember
properties:
project: ${["regional-secret-basic"].project}
location: ${["regional-secret-basic"].location}
secretId: ${["regional-secret-basic"].secretId}
role: roles/secretmanager.secretAccessor
member: user:jane@example.com
Unlike RegionalSecretIamBinding, RegionalSecretIamMember is non-authoritative: it adds a single member to a role without replacing existing members. Multiple Member resources can coexist for the same role, making it useful for incremental access grants. The member property accepts a single identity in the same formats as the members array in Binding resources.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control (Binding and Member resources) and time-based access with IAM Conditions. They’re intentionally minimal rather than complete access control policies.
The examples reference pre-existing infrastructure such as regional secrets (referenced but not created). They focus on configuring access rather than provisioning secrets themselves.
To keep things focused, common IAM patterns are omitted, including:
- Full policy replacement (RegionalSecretIamPolicy resource)
- Custom role definitions and formatting
- Federated identity and workload identity pool configuration
- Conflict resolution between Policy, Binding, and Member resources
These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the RegionalSecretIamBinding resource reference for all available configuration options.
Let's manage GCP Secret Manager IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Which IAM resource should I use to manage secret access?
Choose based on your needs:
RegionalSecretIamPolicy for full policy control (replaces entire policy), RegionalSecretIamBinding for managing all members of a specific role (authoritative per role), or RegionalSecretIamMember for adding individual members without affecting others (non-authoritative).Which IAM resources can I use together?
You cannot use
RegionalSecretIamPolicy with RegionalSecretIamBinding or RegionalSecretIamMember, as they will conflict. However, you can use RegionalSecretIamBinding and RegionalSecretIamMember together if they manage different roles.What happens if I use Binding and Member for the same role?
Using
RegionalSecretIamBinding and RegionalSecretIamMember for the same role causes conflicts. Ensure each resource grants privileges to different roles.IAM Configuration
What member identity formats are supported?
Supports
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....How do I specify custom IAM roles?
Custom roles must use the full path format:
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role.What properties can't be changed after creation?
The
location, project, secretId, role, and condition properties are immutable and cannot be modified after the resource is created.IAM Conditions
How do I add time-based or conditional access?
Add a
condition block with title, description, and expression. For example, use expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")" to grant access that expires at a specific time.What are the limitations of IAM Conditions?
IAM Conditions are supported but have known limitations. Review the GCP documentation on IAM Conditions limitations before implementing conditional access policies.
Can I change a condition after creating the binding?
No, the
condition property is immutable. You must recreate the binding to modify conditions.