The gcp:compute/subnetworkIAMPolicy:SubnetworkIAMPolicy resource, part of the Pulumi GCP provider, controls IAM permissions on VPC subnetworks, determining which identities can use the subnetwork for VM instances and other resources. This guide focuses on four capabilities: authoritative policy replacement (SubnetworkIAMPolicy), role-level member management (SubnetworkIAMBinding), single-member grants (SubnetworkIAMMember), and time-bound access with IAM Conditions.
These resources reference existing VPC subnetworks by name, project, and region. The examples are intentionally small. Combine them with your own subnetwork infrastructure and identity management strategy.
Replace the entire IAM policy for a subnetwork
When you need complete control over subnetwork access, SubnetworkIAMPolicy replaces the entire IAM policy with your specified bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/compute.networkUser",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.compute.SubnetworkIAMPolicy("policy", {
project: network_with_private_secondary_ip_ranges.project,
region: network_with_private_secondary_ip_ranges.region,
subnetwork: network_with_private_secondary_ip_ranges.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/compute.networkUser",
"members": ["user:jane@example.com"],
}])
policy = gcp.compute.SubnetworkIAMPolicy("policy",
project=network_with_private_secondary_ip_ranges["project"],
region=network_with_private_secondary_ip_ranges["region"],
subnetwork=network_with_private_secondary_ip_ranges["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/compute.networkUser",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewSubnetworkIAMPolicy(ctx, "policy", &compute.SubnetworkIAMPolicyArgs{
Project: pulumi.Any(network_with_private_secondary_ip_ranges.Project),
Region: pulumi.Any(network_with_private_secondary_ip_ranges.Region),
Subnetwork: pulumi.Any(network_with_private_secondary_ip_ranges.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/compute.networkUser",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Compute.SubnetworkIAMPolicy("policy", new()
{
Project = network_with_private_secondary_ip_ranges.Project,
Region = network_with_private_secondary_ip_ranges.Region,
Subnetwork = network_with_private_secondary_ip_ranges.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.SubnetworkIAMPolicy;
import com.pulumi.gcp.compute.SubnetworkIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/compute.networkUser")
.members("user:jane@example.com")
.build())
.build());
var policy = new SubnetworkIAMPolicy("policy", SubnetworkIAMPolicyArgs.builder()
.project(network_with_private_secondary_ip_ranges.project())
.region(network_with_private_secondary_ip_ranges.region())
.subnetwork(network_with_private_secondary_ip_ranges.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:SubnetworkIAMPolicy
properties:
project: ${["network-with-private-secondary-ip-ranges"].project}
region: ${["network-with-private-secondary-ip-ranges"].region}
subnetwork: ${["network-with-private-secondary-ip-ranges"].name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/compute.networkUser
members:
- user:jane@example.com
SubnetworkIAMPolicy is authoritative: it removes any existing bindings not in your configuration. The policyData comes from getIAMPolicy, which defines bindings as role-member pairs. Use this when you want to ensure no unexpected permissions exist, but be aware it conflicts with SubnetworkIAMBinding and SubnetworkIAMMember on the same subnetwork.
Set time-bound access with IAM Conditions
IAM Conditions grant temporary access that expires automatically, useful for contractor access or time-limited projects.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/compute.networkUser",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.compute.SubnetworkIAMPolicy("policy", {
project: network_with_private_secondary_ip_ranges.project,
region: network_with_private_secondary_ip_ranges.region,
subnetwork: network_with_private_secondary_ip_ranges.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/compute.networkUser",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.compute.SubnetworkIAMPolicy("policy",
project=network_with_private_secondary_ip_ranges["project"],
region=network_with_private_secondary_ip_ranges["region"],
subnetwork=network_with_private_secondary_ip_ranges["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/compute.networkUser",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewSubnetworkIAMPolicy(ctx, "policy", &compute.SubnetworkIAMPolicyArgs{
Project: pulumi.Any(network_with_private_secondary_ip_ranges.Project),
Region: pulumi.Any(network_with_private_secondary_ip_ranges.Region),
Subnetwork: pulumi.Any(network_with_private_secondary_ip_ranges.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/compute.networkUser",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Compute.SubnetworkIAMPolicy("policy", new()
{
Project = network_with_private_secondary_ip_ranges.Project,
Region = network_with_private_secondary_ip_ranges.Region,
Subnetwork = network_with_private_secondary_ip_ranges.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.SubnetworkIAMPolicy;
import com.pulumi.gcp.compute.SubnetworkIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/compute.networkUser")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new SubnetworkIAMPolicy("policy", SubnetworkIAMPolicyArgs.builder()
.project(network_with_private_secondary_ip_ranges.project())
.region(network_with_private_secondary_ip_ranges.region())
.subnetwork(network_with_private_secondary_ip_ranges.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:SubnetworkIAMPolicy
properties:
project: ${["network-with-private-secondary-ip-ranges"].project}
region: ${["network-with-private-secondary-ip-ranges"].region}
subnetwork: ${["network-with-private-secondary-ip-ranges"].name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/compute.networkUser
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal constraints to IAM bindings. The expression uses CEL (Common Expression Language) to compare request.time against a timestamp. The title and description document the condition’s purpose. This extends the basic policy pattern with automatic expiration, eliminating manual cleanup.
Grant a role to multiple members at once
SubnetworkIAMBinding manages all members for a single role while preserving other roles on the subnetwork.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.SubnetworkIAMBinding("binding", {
project: network_with_private_secondary_ip_ranges.project,
region: network_with_private_secondary_ip_ranges.region,
subnetwork: network_with_private_secondary_ip_ranges.name,
role: "roles/compute.networkUser",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.SubnetworkIAMBinding("binding",
project=network_with_private_secondary_ip_ranges["project"],
region=network_with_private_secondary_ip_ranges["region"],
subnetwork=network_with_private_secondary_ip_ranges["name"],
role="roles/compute.networkUser",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewSubnetworkIAMBinding(ctx, "binding", &compute.SubnetworkIAMBindingArgs{
Project: pulumi.Any(network_with_private_secondary_ip_ranges.Project),
Region: pulumi.Any(network_with_private_secondary_ip_ranges.Region),
Subnetwork: pulumi.Any(network_with_private_secondary_ip_ranges.Name),
Role: pulumi.String("roles/compute.networkUser"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.SubnetworkIAMBinding("binding", new()
{
Project = network_with_private_secondary_ip_ranges.Project,
Region = network_with_private_secondary_ip_ranges.Region,
Subnetwork = network_with_private_secondary_ip_ranges.Name,
Role = "roles/compute.networkUser",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SubnetworkIAMBinding;
import com.pulumi.gcp.compute.SubnetworkIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new SubnetworkIAMBinding("binding", SubnetworkIAMBindingArgs.builder()
.project(network_with_private_secondary_ip_ranges.project())
.region(network_with_private_secondary_ip_ranges.region())
.subnetwork(network_with_private_secondary_ip_ranges.name())
.role("roles/compute.networkUser")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:SubnetworkIAMBinding
properties:
project: ${["network-with-private-secondary-ip-ranges"].project}
region: ${["network-with-private-secondary-ip-ranges"].region}
subnetwork: ${["network-with-private-secondary-ip-ranges"].name}
role: roles/compute.networkUser
members:
- user:jane@example.com
SubnetworkIAMBinding is authoritative for one role: it replaces all members for that role but leaves other roles untouched. The members array lists all identities that should have this role. You can combine multiple SubnetworkIAMBinding resources for different roles, or mix with SubnetworkIAMMember as long as they don’t target the same role.
Add a single member to a role non-authoritatively
SubnetworkIAMMember adds one member to a role without affecting other members, making it safe to use alongside other IAM resources.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.SubnetworkIAMMember("member", {
project: network_with_private_secondary_ip_ranges.project,
region: network_with_private_secondary_ip_ranges.region,
subnetwork: network_with_private_secondary_ip_ranges.name,
role: "roles/compute.networkUser",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.SubnetworkIAMMember("member",
project=network_with_private_secondary_ip_ranges["project"],
region=network_with_private_secondary_ip_ranges["region"],
subnetwork=network_with_private_secondary_ip_ranges["name"],
role="roles/compute.networkUser",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewSubnetworkIAMMember(ctx, "member", &compute.SubnetworkIAMMemberArgs{
Project: pulumi.Any(network_with_private_secondary_ip_ranges.Project),
Region: pulumi.Any(network_with_private_secondary_ip_ranges.Region),
Subnetwork: pulumi.Any(network_with_private_secondary_ip_ranges.Name),
Role: pulumi.String("roles/compute.networkUser"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.SubnetworkIAMMember("member", new()
{
Project = network_with_private_secondary_ip_ranges.Project,
Region = network_with_private_secondary_ip_ranges.Region,
Subnetwork = network_with_private_secondary_ip_ranges.Name,
Role = "roles/compute.networkUser",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SubnetworkIAMMember;
import com.pulumi.gcp.compute.SubnetworkIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new SubnetworkIAMMember("member", SubnetworkIAMMemberArgs.builder()
.project(network_with_private_secondary_ip_ranges.project())
.region(network_with_private_secondary_ip_ranges.region())
.subnetwork(network_with_private_secondary_ip_ranges.name())
.role("roles/compute.networkUser")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:SubnetworkIAMMember
properties:
project: ${["network-with-private-secondary-ip-ranges"].project}
region: ${["network-with-private-secondary-ip-ranges"].region}
subnetwork: ${["network-with-private-secondary-ip-ranges"].name}
role: roles/compute.networkUser
member: user:jane@example.com
SubnetworkIAMMember is non-authoritative: it adds one member without removing others. The member property specifies a single identity (user, serviceAccount, group, or domain). This is the safest option when multiple teams manage access to the same subnetwork, since it won’t conflict with other SubnetworkIAMMember resources or SubnetworkIAMBinding resources for different roles.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative IAM management and IAM Conditions for time-bound access. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as VPC subnetworks (by name, project, and region). They focus on configuring IAM permissions rather than provisioning the underlying network resources.
To keep things focused, common IAM patterns are omitted, including:
- Custom role definitions and management
- Service account creation and binding
- Combining SubnetworkIAMBinding with SubnetworkIAMMember safely
- IAM Conditions limitations and workarounds
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Subnetwork IAM Policy resource reference for all available configuration options.
Let's manage GCP Subnetwork IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Can I use SubnetworkIAMPolicy with SubnetworkIAMBinding or SubnetworkIAMMember?
No,
gcp.compute.SubnetworkIAMPolicy cannot be used together with gcp.compute.SubnetworkIAMBinding or gcp.compute.SubnetworkIAMMember because they will conflict over the policy configuration.Can I use SubnetworkIAMBinding and SubnetworkIAMMember together?
Yes, but only if they don’t grant privileges to the same role. Using both resources for the same role will cause conflicts.
What's the difference between SubnetworkIAMPolicy, SubnetworkIAMBinding, and SubnetworkIAMMember?
SubnetworkIAMPolicy is authoritative and replaces the entire IAM policy. SubnetworkIAMBinding is authoritative for a specific role, preserving other roles in the policy. SubnetworkIAMMember is non-authoritative, adding a single member to a role while preserving other members for that role.Which IAM resource should I use for my subnetwork?
Use
SubnetworkIAMPolicy for complete policy control, SubnetworkIAMBinding to manage all members for specific roles, or SubnetworkIAMMember to add individual members without affecting existing ones.IAM Conditions
How do I add IAM Conditions to my subnetwork policy?
Add a
condition block with title, description, and expression fields to your SubnetworkIAMBinding or SubnetworkIAMMember resource. For example: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")".Are there limitations when using IAM Conditions?
Yes, IAM Conditions have known limitations. Review the GCP documentation on IAM Conditions limitations if you encounter issues.
Configuration & Import
What import formats are supported for subnetwork IAM resources?
You can import using
projects/{{project}}/regions/{{region}}/subnetworks/{{name}}, {{project}}/{{region}}/{{name}}, {{region}}/{{name}}, or just {{name}}. Any variables not specified in the import command are taken from the provider configuration.