The gcp:securesourcemanager/repositoryIamBinding:RepositoryIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Secure Source Manager repositories by controlling which members have specific roles. This guide focuses on two capabilities: bulk member assignment to roles and incremental member addition.
IAM bindings reference existing repositories and require valid project and location identifiers. The examples are intentionally small. Combine them with your own repository infrastructure and identity management.
Grant a role to multiple members at once
Teams managing repository access often need to grant the same role to multiple users, service accounts, or groups simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.securesourcemanager.RepositoryIamBinding("binding", {
project: _default.project,
location: _default.location,
repositoryId: _default.repositoryId,
role: "roles/securesourcemanager.repoAdmin",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.securesourcemanager.RepositoryIamBinding("binding",
project=default["project"],
location=default["location"],
repository_id=default["repositoryId"],
role="roles/securesourcemanager.repoAdmin",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securesourcemanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securesourcemanager.NewRepositoryIamBinding(ctx, "binding", &securesourcemanager.RepositoryIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
RepositoryId: pulumi.Any(_default.RepositoryId),
Role: pulumi.String("roles/securesourcemanager.repoAdmin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecureSourceManager.RepositoryIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
RepositoryId = @default.RepositoryId,
Role = "roles/securesourcemanager.repoAdmin",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securesourcemanager.RepositoryIamBinding;
import com.pulumi.gcp.securesourcemanager.RepositoryIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RepositoryIamBinding("binding", RepositoryIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.repositoryId(default_.repositoryId())
.role("roles/securesourcemanager.repoAdmin")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:securesourcemanager:RepositoryIamBinding
properties:
project: ${default.project}
location: ${default.location}
repositoryId: ${default.repositoryId}
role: roles/securesourcemanager.repoAdmin
members:
- user:jane@example.com
The role property specifies which permission set to grant (e.g., “roles/securesourcemanager.repoAdmin”). The members array lists all identities that should have this role. RepositoryIamBinding is authoritative for the specified role: it replaces any existing member list for that role. The repositoryId, location, and project properties identify which repository to configure.
Add a single member to a role incrementally
When onboarding individual users or service accounts, you can grant access without affecting existing members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.securesourcemanager.RepositoryIamMember("member", {
project: _default.project,
location: _default.location,
repositoryId: _default.repositoryId,
role: "roles/securesourcemanager.repoAdmin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.securesourcemanager.RepositoryIamMember("member",
project=default["project"],
location=default["location"],
repository_id=default["repositoryId"],
role="roles/securesourcemanager.repoAdmin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securesourcemanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securesourcemanager.NewRepositoryIamMember(ctx, "member", &securesourcemanager.RepositoryIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
RepositoryId: pulumi.Any(_default.RepositoryId),
Role: pulumi.String("roles/securesourcemanager.repoAdmin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.SecureSourceManager.RepositoryIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
RepositoryId = @default.RepositoryId,
Role = "roles/securesourcemanager.repoAdmin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securesourcemanager.RepositoryIamMember;
import com.pulumi.gcp.securesourcemanager.RepositoryIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RepositoryIamMember("member", RepositoryIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.repositoryId(default_.repositoryId())
.role("roles/securesourcemanager.repoAdmin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:securesourcemanager:RepositoryIamMember
properties:
project: ${default.project}
location: ${default.location}
repositoryId: ${default.repositoryId}
role: roles/securesourcemanager.repoAdmin
member: user:jane@example.com
The member property specifies a single identity to add. Unlike RepositoryIamBinding, RepositoryIamMember is non-authoritative: it adds one member without removing others already assigned to the role. This approach works well for incremental access grants where you don’t want to manage the complete member list.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and bulk member assignment vs incremental addition. They’re intentionally minimal rather than full access management solutions.
The examples reference pre-existing infrastructure such as Secure Source Manager repositories and GCP projects with configured locations. They focus on configuring IAM bindings rather than provisioning repositories or identity providers.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (RepositoryIamPolicy resource)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how each binding approach is wired, not provide drop-in access control modules. See the RepositoryIamBinding resource reference for all available configuration options.
Let's manage GCP Secure Source Manager Repository IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
RepositoryIamPolicy is fully authoritative and replaces the entire IAM policy. RepositoryIamBinding is authoritative for a specific role, replacing all members for that role while preserving other roles. RepositoryIamMember is non-authoritative, adding individual members without affecting existing members for the role.RepositoryIamPolicy cannot be used with RepositoryIamBinding or RepositoryIamMember as they will conflict. However, RepositoryIamBinding and RepositoryIamMember can be used together only if they don’t grant privileges to the same role.RepositoryIamPolicy with RepositoryIamBinding or RepositoryIamMember, or when using both RepositoryIamBinding and RepositoryIamMember on the same role. Each role should be managed by only one resource type.IAM Configuration
RepositoryIamBinding with role set to the desired role (e.g., roles/securesourcemanager.repoAdmin) and members containing the identity (e.g., user:jane@example.com or serviceAccount:my-app@appspot.gserviceaccount.com).allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities using principal:// format. See the Principal identifiers documentation for federated identity examples.domain:{domain} in the members array to grant access to all users of a G Suite domain (e.g., domain:example.com). For broader access, use allAuthenticatedUsers for any authenticated Google account.Custom Roles & Advanced Usage
[projects|organizations]/{parent-name}/roles/{role-name}. For example, use projects/my-project/roles/my-custom-role instead of just the role name.role, location, project, repositoryId, and condition properties are immutable and cannot be changed after the resource is created. You must recreate the resource to change these values.