The gcp:securitycenter/v2OrganizationSourceIamPolicy:V2OrganizationSourceIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Security Command Center v2 organization sources, controlling who can access and manage security findings. This guide focuses on three approaches: authoritative policy replacement, role-level member binding, and individual member grants.
Security Command Center IAM resources come in three types that serve different use cases. V2OrganizationSourceIamPolicy replaces the entire policy, V2OrganizationSourceIamBinding manages all members for a specific role, and V2OrganizationSourceIamMember adds individual members without affecting others. The examples are intentionally small. Choose the resource type that matches your access control requirements, and note that Policy resources cannot be combined with Binding or Member resources for the same source.
Set complete IAM policy for a source
When you need full control over source permissions, replacing the entire IAM policy ensures no unexpected access remains.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.securitycenter.V2OrganizationSourceIamPolicy("policy", {
source: customSource.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.securitycenter.V2OrganizationSourceIamPolicy("policy",
source=custom_source["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securitycenter"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = securitycenter.NewV2OrganizationSourceIamPolicy(ctx, "policy", &securitycenter.V2OrganizationSourceIamPolicyArgs{
Source: pulumi.Any(customSource.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.SecurityCenter.V2OrganizationSourceIamPolicy("policy", new()
{
Source = customSource.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamPolicy;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new V2OrganizationSourceIamPolicy("policy", V2OrganizationSourceIamPolicyArgs.builder()
.source(customSource.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:securitycenter:V2OrganizationSourceIamPolicy
properties:
source: ${customSource.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The V2OrganizationSourceIamPolicy resource is authoritative: it replaces any existing policy on the source. The policyData property accepts output from gcp.organizations.getIAMPolicy, which defines roles and members in a structured format. This approach gives you complete control but requires listing all intended permissions.
Grant a role to multiple members
When several users need the same access level, binding them to a single role simplifies management.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.securitycenter.V2OrganizationSourceIamBinding("binding", {
source: customSource.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.securitycenter.V2OrganizationSourceIamBinding("binding",
source=custom_source["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securitycenter"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securitycenter.NewV2OrganizationSourceIamBinding(ctx, "binding", &securitycenter.V2OrganizationSourceIamBindingArgs{
Source: pulumi.Any(customSource.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.SecurityCenter.V2OrganizationSourceIamBinding("binding", new()
{
Source = customSource.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamBinding;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new V2OrganizationSourceIamBinding("binding", V2OrganizationSourceIamBindingArgs.builder()
.source(customSource.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:securitycenter:V2OrganizationSourceIamBinding
properties:
source: ${customSource.name}
role: roles/viewer
members:
- user:jane@example.com
The V2OrganizationSourceIamBinding resource is authoritative for one role: it sets the complete member list for that role while preserving other roles in the policy. The members array accepts user, serviceAccount, and group identities. You can use multiple Binding resources for different roles, but each role can only have one Binding resource.
Add a single member to a role
Adding individual users without changing other permissions requires non-authoritative updates.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.securitycenter.V2OrganizationSourceIamMember("member", {
source: customSource.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.securitycenter.V2OrganizationSourceIamMember("member",
source=custom_source["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/securitycenter"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securitycenter.NewV2OrganizationSourceIamMember(ctx, "member", &securitycenter.V2OrganizationSourceIamMemberArgs{
Source: pulumi.Any(customSource.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.SecurityCenter.V2OrganizationSourceIamMember("member", new()
{
Source = customSource.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamMember;
import com.pulumi.gcp.securitycenter.V2OrganizationSourceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new V2OrganizationSourceIamMember("member", V2OrganizationSourceIamMemberArgs.builder()
.source(customSource.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:securitycenter:V2OrganizationSourceIamMember
properties:
source: ${customSource.name}
role: roles/viewer
member: user:jane@example.com
The V2OrganizationSourceIamMember resource adds one member to a role without affecting other members. This is the most granular approach: you can have multiple Member resources for the same role, and they won’t conflict with each other. Use this when you need to grant access incrementally or when different teams manage different users.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative access control, and policy, binding, and member-level configuration. They’re intentionally minimal rather than complete access control solutions.
The examples reference pre-existing infrastructure such as Security Command Center v2 organization sources and IAM principals (users, service accounts, groups). They focus on configuring IAM permissions rather than provisioning the sources themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Custom role definitions and references
- Multiple role assignments in single resource
- IAM policy retrieval (data source usage)
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the V2OrganizationSourceIamPolicy resource reference for all available configuration options.
Let's manage GCP Security Command Center IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
V2OrganizationSourceIamPolicy cannot be used with V2OrganizationSourceIamBinding or V2OrganizationSourceIamMember because they will conflict over the policy state.Resource Selection & Configuration
V2OrganizationSourceIamPolicy is authoritative and replaces the entire policy. V2OrganizationSourceIamBinding is authoritative for a specific role but preserves other roles. V2OrganizationSourceIamMember is non-authoritative and adds individual members without affecting others.gcp.organizations.getIAMPolicy data source with your desired bindings, then pass its policyData output to the resource.Import & Custom Roles
[projects/my-project|organizations/my-org]/roles/my-custom-role instead of just the role name.