The gcp:servicedirectory/namespaceIamBinding:NamespaceIamBinding resource, part of the Pulumi GCP provider, grants a specific IAM role to a list of members on a Service Directory namespace. This resource is authoritative for the specified role: it replaces all existing members for that role while preserving other roles in the namespace’s IAM policy. This guide focuses on one capability: granting a role to multiple members.
NamespaceIamBinding is one of three IAM resources for Service Directory namespaces. NamespaceIamPolicy replaces the entire policy (use with caution). NamespaceIamBinding manages all members for a single role. NamespaceIamMember grants a role to one member at a time. The examples are intentionally small. Combine them with your own namespace and identity management.
Grant a role to multiple members at once
When you need to grant the same role to multiple identities, NamespaceIamBinding manages the complete member list for that role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.servicedirectory.NamespaceIamBinding("binding", {
name: example.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.servicedirectory.NamespaceIamBinding("binding",
name=example["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicedirectory"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := servicedirectory.NewNamespaceIamBinding(ctx, "binding", &servicedirectory.NamespaceIamBindingArgs{
Name: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.ServiceDirectory.NamespaceIamBinding("binding", new()
{
Name = example.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.servicedirectory.NamespaceIamBinding;
import com.pulumi.gcp.servicedirectory.NamespaceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new NamespaceIamBinding("binding", NamespaceIamBindingArgs.builder()
.name(example.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:servicedirectory:NamespaceIamBinding
properties:
name: ${example.name}
role: roles/viewer
members:
- user:jane@example.com
The binding resource is authoritative for the specified role. The members array lists all identities that receive the role; adding or removing members updates the entire list. The name property references the namespace by its resource path, and role specifies the IAM role to grant.
Beyond these examples
These snippets focus on specific IAM binding features: granting a single role to multiple members. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Service Directory namespaces. They focus on configuring IAM bindings rather than provisioning the namespace itself.
To keep things focused, common IAM patterns are omitted, including:
- Policy-level management (NamespaceIamPolicy for full policy control)
- Individual member grants (NamespaceIamMember for single-member additions)
- Conditional IAM bindings (condition property)
- Custom role definitions
These omissions are intentional: the goal is to illustrate how role bindings are wired, not provide drop-in access control modules. See the Service Directory NamespaceIamBinding resource reference for all available configuration options.
Let's configure GCP Service Directory Namespace IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
NamespaceIamPolicy is authoritative and replaces the entire IAM policy. NamespaceIamBinding is authoritative for a specific role, preserving other roles in the policy. NamespaceIamMember is non-authoritative and adds a single member to a role while preserving other members for that role.NamespaceIamPolicy cannot be used with NamespaceIamBinding or NamespaceIamMember because they will conflict over policy control. Choose either Policy (authoritative) or Binding/Member (granular).Configuration & Properties
[projects/my-project|organizations/my-org]/roles/my-custom-role. This is required for imports and all operations.role and name are immutable properties and cannot be changed after creation. You must recreate the resource to change these values.members property supports multiple formats: allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....