Manage GCP Service Directory Namespace IAM Access

The gcp:servicedirectory/namespaceIamMember:NamespaceIamMember resource, part of the Pulumi GCP provider, grants IAM roles to identities on Service Directory namespaces, controlling who can view, edit, or manage namespace resources. This guide focuses on three capabilities: single-member role grants, multi-member role bindings, and full policy replacement.

Service Directory provides three IAM resources that manage the same policy with different levels of authority. NamespaceIamMember adds one identity to a role non-authoritatively, preserving other members. NamespaceIamBinding manages all members for a role authoritatively, replacing the member list. NamespaceIamPolicy replaces the entire policy authoritatively, affecting all roles. Mixing NamespaceIamPolicy with the other two causes conflicts; NamespaceIamBinding and NamespaceIamMember can coexist only if they manage different roles. The examples are intentionally small. Combine them with your own namespace references and identity management.

Grant a role to a single member

Most IAM configurations start by granting a specific role to one identity, preserving existing role assignments for other members.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.servicedirectory.NamespaceIamMember("member", {
    name: example.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.servicedirectory.NamespaceIamMember("member",
    name=example["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicedirectory"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := servicedirectory.NewNamespaceIamMember(ctx, "member", &servicedirectory.NamespaceIamMemberArgs{
			Name:   pulumi.Any(example.Name),
			Role:   pulumi.String("roles/viewer"),
			Member: pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.ServiceDirectory.NamespaceIamMember("member", new()
    {
        Name = example.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.servicedirectory.NamespaceIamMember;
import com.pulumi.gcp.servicedirectory.NamespaceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new NamespaceIamMember("member", NamespaceIamMemberArgs.builder()
            .name(example.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:servicedirectory:NamespaceIamMember
    properties:
      name: ${example.name}
      role: roles/viewer
      member: user:jane@example.com

The member property specifies one identity using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property sets the permission level. This resource is non-authoritative: it adds the member without removing others who already have the role.

Grant a role to multiple members at once

When multiple identities need the same permissions, binding them together ensures they’re managed as a group.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.servicedirectory.NamespaceIamBinding("binding", {
    name: example.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.servicedirectory.NamespaceIamBinding("binding",
    name=example["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicedirectory"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := servicedirectory.NewNamespaceIamBinding(ctx, "binding", &servicedirectory.NamespaceIamBindingArgs{
			Name: pulumi.Any(example.Name),
			Role: pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.ServiceDirectory.NamespaceIamBinding("binding", new()
    {
        Name = example.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.servicedirectory.NamespaceIamBinding;
import com.pulumi.gcp.servicedirectory.NamespaceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new NamespaceIamBinding("binding", NamespaceIamBindingArgs.builder()
            .name(example.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:servicedirectory:NamespaceIamBinding
    properties:
      name: ${example.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The members property takes a list of identities, all receiving the same role. This resource is authoritative for the role: it replaces any existing members with the list you provide. If another identity already has this role, it will be removed unless included in your members list.

Replace the entire IAM policy

Some deployments require complete control over all roles and members, replacing any existing policy.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.servicedirectory.NamespaceIamPolicy("policy", {
    name: example.name,
    policyData: admin.then(admin => admin.policyData),
});

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.servicedirectory.NamespaceIamPolicy("policy",
    name=example["name"],
    policy_data=admin.policy_data)

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicedirectory"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = servicedirectory.NewNamespaceIamPolicy(ctx, "policy", &servicedirectory.NamespaceIamPolicyArgs{
			Name:       pulumi.Any(example.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
    {
        Bindings = new[]
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
            {
                Role = "roles/viewer",
                Members = new[]
                {
                    "user:jane@example.com",
                },
            },
        },
    });

    var policy = new Gcp.ServiceDirectory.NamespaceIamPolicy("policy", new()
    {
        Name = example.Name,
        PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.servicedirectory.NamespaceIamPolicy;
import com.pulumi.gcp.servicedirectory.NamespaceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
            .bindings(GetIAMPolicyBindingArgs.builder()
                .role("roles/viewer")
                .members("user:jane@example.com")
                .build())
            .build());

        var policy = new NamespaceIamPolicy("policy", NamespaceIamPolicyArgs.builder()
            .name(example.name())
            .policyData(admin.policyData())
            .build());

    }
}

resources:
  policy:
    type: gcp:servicedirectory:NamespaceIamPolicy
    properties:
      name: ${example.name}
      policyData: ${admin.policyData}
variables:
  admin:
    fn::invoke:
      function: gcp:organizations:getIAMPolicy
      arguments:
        bindings:
          - role: roles/viewer
            members:
              - user:jane@example.com

The policyData property accepts a policy document from getIAMPolicy, which defines bindings (role-to-members mappings) for the namespace. This resource is fully authoritative: it replaces the entire IAM policy, affecting all roles. It cannot coexist with NamespaceIamBinding or NamespaceIamMember resources on the same namespace.

Beyond these examples

These snippets focus on specific IAM management features: single-member and multi-member role grants, and full policy replacement. They’re intentionally minimal rather than complete access control configurations.

The examples reference pre-existing infrastructure such as Service Directory namespaces. They focus on granting permissions rather than provisioning the underlying resources.

To keep things focused, common IAM patterns are omitted, including:

  • Conditional IAM bindings (condition property)
  • Custom role definitions
  • Service account creation
  • Namespace provisioning

These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Service Directory NamespaceIamMember resource reference for all available configuration options.

Let's manage GCP Service Directory Namespace IAM Access

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
What's the difference between NamespaceIamPolicy, NamespaceIamBinding, and NamespaceIamMember?
NamespaceIamPolicy is authoritative and replaces the entire IAM policy. NamespaceIamBinding is authoritative for a specific role, preserving other roles. NamespaceIamMember is non-authoritative, adding a single member while preserving other members for that role.
Can I use these IAM resources together?
NamespaceIamPolicy cannot be used with NamespaceIamBinding or NamespaceIamMember, as they’ll conflict over policy management. However, NamespaceIamBinding and NamespaceIamMember can be used together only if they don’t grant the same role.
Which resource should I use for my use case?
Use NamespaceIamPolicy for complete policy control, NamespaceIamBinding to manage all members for a specific role, or NamespaceIamMember to add individual members without affecting existing ones.
IAM Configuration
What's the format for custom roles?
Custom roles must use the full name format: [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.
What member identity formats are supported?
Supported formats include allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....
Resource Properties
What properties can't be changed after creation?
The member, name, role, and condition properties are all immutable and cannot be modified after the resource is created.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides