The gcp:securitycenter/v2OrganizationSourceIamBinding:V2OrganizationSourceIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Security Command Center v2 organization sources, controlling who can access security findings. This guide focuses on two capabilities: authoritative role assignment to multiple members and non-authoritative single-member grants.
This resource manages permissions for existing SCC sources rather than creating the sources themselves. The examples are intentionally small. Combine them with your own source definitions and organizational IAM structure.
Grant a role to multiple members at once
Security teams often need to assign the same role to multiple users or service accounts simultaneously, such as giving viewer access to an entire team.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.securitycenter.V2OrganizationSourceIamBinding("binding", {
source: customSource.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.securitycenter.V2OrganizationSourceIamBinding("binding",
source=custom_source["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securitycenter"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securitycenter.NewV2OrganizationSourceIamBinding(ctx, "binding", &securitycenter.V2OrganizationSourceIamBindingArgs{
Source: pulumi.Any(customSource.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecurityCenter.V2OrganizationSourceIamBinding("binding", new()
{
Source = customSource.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamBinding;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new V2OrganizationSourceIamBinding("binding", V2OrganizationSourceIamBindingArgs.builder()
.source(customSource.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:securitycenter:V2OrganizationSourceIamBinding
properties:
source: ${customSource.name}
role: roles/viewer
members:
- user:jane@example.com
The V2OrganizationSourceIamBinding resource is authoritative for the specified role: it replaces all members for that role with the list you provide. The source property identifies which SCC source to manage, role specifies the IAM role to grant, and members lists all identities that should have that role. Other roles on the same source remain unchanged.
Add individual members without affecting others
When onboarding new team members or granting access to service accounts, you can add one member at a time without modifying existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.securitycenter.V2OrganizationSourceIamMember("member", {
source: customSource.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.securitycenter.V2OrganizationSourceIamMember("member",
source=custom_source["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securitycenter"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securitycenter.NewV2OrganizationSourceIamMember(ctx, "member", &securitycenter.V2OrganizationSourceIamMemberArgs{
Source: pulumi.Any(customSource.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.SecurityCenter.V2OrganizationSourceIamMember("member", new()
{
Source = customSource.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamMember;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new V2OrganizationSourceIamMember("member", V2OrganizationSourceIamMemberArgs.builder()
.source(customSource.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:securitycenter:V2OrganizationSourceIamMember
properties:
source: ${customSource.name}
role: roles/viewer
member: user:jane@example.com
The V2OrganizationSourceIamMember resource is non-authoritative: it adds a single member to a role without affecting other members who already have that role. This approach works well when multiple teams manage access independently, as each can add their own members without coordinating. You can combine V2OrganizationSourceIamMember resources with V2OrganizationSourceIamBinding resources as long as they manage different roles.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Security Command Center v2 organization sources. They focus on configuring IAM bindings rather than provisioning the underlying security infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Full policy replacement (V2OrganizationSourceIamPolicy)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in security modules. See the V2OrganizationSourceIamBinding resource reference for all available configuration options.
Let's configure GCP Security Command Center IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
V2OrganizationSourceIamPolicy is authoritative for the entire IAM policy and replaces any existing policy. V2OrganizationSourceIamBinding is authoritative for a specific role but preserves other roles. V2OrganizationSourceIamMember is non-authoritative and preserves other members for the same role.V2OrganizationSourceIamPolicy cannot be used with V2OrganizationSourceIamBinding or V2OrganizationSourceIamMember because they will conflict over policy control.V2OrganizationSourceIamBinding and V2OrganizationSourceIamMember will conflict if they grant privileges to the same role.V2OrganizationSourceIamPolicy to manage the entire policy authoritatively. Use V2OrganizationSourceIamBinding to manage all members for a specific role. Use V2OrganizationSourceIamMember to add individual members without affecting others.Configuration & Formats
[projects/my-project|organizations/my-org]/roles/my-custom-role. This applies to both configuration and import operations.Supported formats include:
allUsersandallAuthenticatedUsers(special identifiers)user:{email},serviceAccount:{email},group:{email},domain:{domain}projectOwner:{projectid},projectEditor:{projectid},projectViewer:{projectid}- Federated identities (e.g.,
principal://iam.googleapis.com/...)
V2OrganizationSourceIamBinding with the members property set to an array of identity strings, as shown in the binding example with ["user:jane@example.com"].Immutability & Lifecycle
role, organization, source, and condition properties are immutable and will trigger resource replacement if changed.