Manage GCP Secure Source Manager Repository IAM Bindings

The gcp:securesourcemanager/repositoryIamBinding:RepositoryIamBinding resource, part of the Pulumi GCP provider, manages IAM access for Secure Source Manager repositories by granting roles to members. This guide focuses on three capabilities: role-based access with RepositoryIamBinding, incremental member grants with RepositoryIamMember, and complete policy replacement with RepositoryIamPolicy.

These resources reference existing repositories and require project and location identifiers. The examples are intentionally small. Combine them with your own repository infrastructure and identity management.

Grant a role to multiple members at once

Teams managing repository access often need to grant the same role to multiple users, service accounts, or groups simultaneously.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.securesourcemanager.RepositoryIamBinding("binding", {
    project: _default.project,
    location: _default.location,
    repositoryId: _default.repositoryId,
    role: "roles/securesourcemanager.repoAdmin",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.securesourcemanager.RepositoryIamBinding("binding",
    project=default["project"],
    location=default["location"],
    repository_id=default["repositoryId"],
    role="roles/securesourcemanager.repoAdmin",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securesourcemanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securesourcemanager.NewRepositoryIamBinding(ctx, "binding", &securesourcemanager.RepositoryIamBindingArgs{
			Project:      pulumi.Any(_default.Project),
			Location:     pulumi.Any(_default.Location),
			RepositoryId: pulumi.Any(_default.RepositoryId),
			Role:         pulumi.String("roles/securesourcemanager.repoAdmin"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.SecureSourceManager.RepositoryIamBinding("binding", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        RepositoryId = @default.RepositoryId,
        Role = "roles/securesourcemanager.repoAdmin",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securesourcemanager.RepositoryIamBinding;
import com.pulumi.gcp.securesourcemanager.RepositoryIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new RepositoryIamBinding("binding", RepositoryIamBindingArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .repositoryId(default_.repositoryId())
            .role("roles/securesourcemanager.repoAdmin")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:securesourcemanager:RepositoryIamBinding
    properties:
      project: ${default.project}
      location: ${default.location}
      repositoryId: ${default.repositoryId}
      role: roles/securesourcemanager.repoAdmin
      members:
        - user:jane@example.com

The role property specifies which permission set to grant (e.g., “roles/securesourcemanager.repoAdmin”). The members array lists all identities that receive this role. RepositoryIamBinding is authoritative for its role: it replaces any existing members for that role but preserves other roles in the policy. The repositoryId, location, and project properties identify which repository to configure.

Add a single member to a role incrementally

When you need to add individual users without affecting other members, RepositoryIamMember provides non-authoritative access control.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.securesourcemanager.RepositoryIamMember("member", {
    project: _default.project,
    location: _default.location,
    repositoryId: _default.repositoryId,
    role: "roles/securesourcemanager.repoAdmin",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.securesourcemanager.RepositoryIamMember("member",
    project=default["project"],
    location=default["location"],
    repository_id=default["repositoryId"],
    role="roles/securesourcemanager.repoAdmin",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securesourcemanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securesourcemanager.NewRepositoryIamMember(ctx, "member", &securesourcemanager.RepositoryIamMemberArgs{
			Project:      pulumi.Any(_default.Project),
			Location:     pulumi.Any(_default.Location),
			RepositoryId: pulumi.Any(_default.RepositoryId),
			Role:         pulumi.String("roles/securesourcemanager.repoAdmin"),
			Member:       pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.SecureSourceManager.RepositoryIamMember("member", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        RepositoryId = @default.RepositoryId,
        Role = "roles/securesourcemanager.repoAdmin",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securesourcemanager.RepositoryIamMember;
import com.pulumi.gcp.securesourcemanager.RepositoryIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new RepositoryIamMember("member", RepositoryIamMemberArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .repositoryId(default_.repositoryId())
            .role("roles/securesourcemanager.repoAdmin")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:securesourcemanager:RepositoryIamMember
    properties:
      project: ${default.project}
      location: ${default.location}
      repositoryId: ${default.repositoryId}
      role: roles/securesourcemanager.repoAdmin
      member: user:jane@example.com

The member property specifies a single identity to grant access. Unlike RepositoryIamBinding, this resource is non-authoritative: it adds one member to a role without removing others. You can create multiple RepositoryIamMember resources for the same role, and they coexist without conflict. This approach works well when different teams manage access for different users.

Replace the entire IAM policy with a new definition

Organizations that manage access through centralized policy definitions use RepositoryIamPolicy to set the complete policy in one operation.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        role: "roles/securesourcemanager.repoAdmin",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.securesourcemanager.RepositoryIamPolicy("policy", {
    project: _default.project,
    location: _default.location,
    repositoryId: _default.repositoryId,
    policyData: admin.then(admin => admin.policyData),
});

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "role": "roles/securesourcemanager.repoAdmin",
    "members": ["user:jane@example.com"],
}])
policy = gcp.securesourcemanager.RepositoryIamPolicy("policy",
    project=default["project"],
    location=default["location"],
    repository_id=default["repositoryId"],
    policy_data=admin.policy_data)

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securesourcemanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/securesourcemanager.repoAdmin",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = securesourcemanager.NewRepositoryIamPolicy(ctx, "policy", &securesourcemanager.RepositoryIamPolicyArgs{
			Project:      pulumi.Any(_default.Project),
			Location:     pulumi.Any(_default.Location),
			RepositoryId: pulumi.Any(_default.RepositoryId),
			PolicyData:   pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
    {
        Bindings = new[]
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
            {
                Role = "roles/securesourcemanager.repoAdmin",
                Members = new[]
                {
                    "user:jane@example.com",
                },
            },
        },
    });

    var policy = new Gcp.SecureSourceManager.RepositoryIamPolicy("policy", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        RepositoryId = @default.RepositoryId,
        PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.securesourcemanager.RepositoryIamPolicy;
import com.pulumi.gcp.securesourcemanager.RepositoryIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
            .bindings(GetIAMPolicyBindingArgs.builder()
                .role("roles/securesourcemanager.repoAdmin")
                .members("user:jane@example.com")
                .build())
            .build());

        var policy = new RepositoryIamPolicy("policy", RepositoryIamPolicyArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .repositoryId(default_.repositoryId())
            .policyData(admin.policyData())
            .build());

    }
}

resources:
  policy:
    type: gcp:securesourcemanager:RepositoryIamPolicy
    properties:
      project: ${default.project}
      location: ${default.location}
      repositoryId: ${default.repositoryId}
      policyData: ${admin.policyData}
variables:
  admin:
    fn::invoke:
      function: gcp:organizations:getIAMPolicy
      arguments:
        bindings:
          - role: roles/securesourcemanager.repoAdmin
            members:
              - user:jane@example.com

The policyData property accepts a complete IAM policy document, typically constructed using the getIAMPolicy data source. The bindings array within the policy defines all roles and their members. RepositoryIamPolicy is fully authoritative: it replaces the entire IAM policy for the repository. This resource cannot be used alongside RepositoryIamBinding or RepositoryIamMember, as they would conflict over policy ownership.

Beyond these examples

These snippets focus on specific IAM management features: role-based bindings and member grants, and complete policy replacement. They’re intentionally minimal rather than full access control systems.

The examples reference pre-existing infrastructure such as Secure Source Manager repositories and GCP projects with configured locations. They focus on configuring IAM access rather than provisioning repositories.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Custom role definitions
Federated identity configuration
Policy conflict resolution between resource types

These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Secure Source Manager RepositoryIamBinding resource reference for all available configuration options.

Let's manage GCP Secure Source Manager Repository IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

Why can't I use RepositoryIamPolicy with RepositoryIamBinding or RepositoryIamMember?

gcp.securesourcemanager.RepositoryIamPolicy is authoritative and replaces the entire IAM policy, so it conflicts with gcp.securesourcemanager.RepositoryIamBinding and gcp.securesourcemanager.RepositoryIamMember. Choose one approach: use Policy for full control, or use Binding/Member for granular management.

Can I use RepositoryIamBinding and RepositoryIamMember together?

Yes, but only if they don’t grant privileges to the same role. Each role must be managed by either Binding or Member resources, not both.

What's the difference between RepositoryIamPolicy, RepositoryIamBinding, and RepositoryIamMember?

RepositoryIamPolicy is authoritative and replaces the entire policy. RepositoryIamBinding is authoritative for a specific role but preserves other roles. RepositoryIamMember is non-authoritative and preserves other members for the role.

IAM Configuration & Roles

How do I specify a custom role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/customRole or organizations/my-org/roles/customRole.

What member identity formats are supported?

You can use: allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, and federated identities (e.g., principal://iam.googleapis.com/...).

Usage Examples

How do I grant a role to multiple members at once?

Use gcp.securesourcemanager.RepositoryIamBinding with the members array. For example, set role to roles/securesourcemanager.repoAdmin and members to ["user:jane@example.com", "user:john@example.com"].

How do I add a single member to a role without affecting existing members?

Use gcp.securesourcemanager.RepositoryIamMember with the member property set to a single identity, such as user:jane@example.com. This preserves other members already assigned to the role.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides