The gcp:tags/tagValueIamBinding:TagValueIamBinding resource, part of the Pulumi GCP provider, grants a specific IAM role to a list of members on a tag value. It replaces any existing members for that role while preserving other roles in the policy. This guide focuses on two capabilities: multi-member role grants and time-based conditional access.
Bindings reference existing TagValue resources. They cannot be combined with TagValueIamPolicy because both resources authoritatively manage the entire policy, causing conflicts. The examples are intentionally small. Combine them with your own tag hierarchies and member lists.
Grant a role to multiple members at once
When multiple users or service accounts need the same level of access, TagValueIamBinding assigns a role to all members in a single resource.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.tags.TagValueIamBinding("binding", {
tagValue: value.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.tags.TagValueIamBinding("binding",
tag_value=value["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := tags.NewTagValueIamBinding(ctx, "binding", &tags.TagValueIamBindingArgs{
TagValue: pulumi.Any(value.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Tags.TagValueIamBinding("binding", new()
{
TagValue = @value.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.tags.TagValueIamBinding;
import com.pulumi.gcp.tags.TagValueIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TagValueIamBinding("binding", TagValueIamBindingArgs.builder()
.tagValue(value.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:tags:TagValueIamBinding
properties:
tagValue: ${value.name}
role: roles/viewer
members:
- user:jane@example.com
The members array lists all identities that receive the specified role. The binding is authoritative for this role: it replaces any existing members for roles/viewer while leaving other roles untouched. Each member follows GCP’s identity format (user:, serviceAccount:, group:, domain:, or special identifiers like allUsers).
Add time-based access with IAM Conditions
Temporary access grants expire automatically when conditions evaluate to false, eliminating manual cleanup for contractors or time-limited projects.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.tags.TagValueIamBinding("binding", {
tagValue: value.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.tags.TagValueIamBinding("binding",
tag_value=value["name"],
role="roles/viewer",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := tags.NewTagValueIamBinding(ctx, "binding", &tags.TagValueIamBindingArgs{
TagValue: pulumi.Any(value.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &tags.TagValueIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Tags.TagValueIamBinding("binding", new()
{
TagValue = @value.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Tags.Inputs.TagValueIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.tags.TagValueIamBinding;
import com.pulumi.gcp.tags.TagValueIamBindingArgs;
import com.pulumi.gcp.tags.inputs.TagValueIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TagValueIamBinding("binding", TagValueIamBindingArgs.builder()
.tagValue(value.name())
.role("roles/viewer")
.members("user:jane@example.com")
.condition(TagValueIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:tags:TagValueIamBinding
properties:
tagValue: ${value.name}
role: roles/viewer
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds a time constraint to the binding. The expression uses CEL (Common Expression Language) to compare request.time against a timestamp. When the condition becomes false, GCP automatically denies access without requiring you to delete the binding. The title and description document the condition’s purpose for auditing.
Beyond these examples
These snippets focus on specific binding-level features: role-based access control for tag values and time-based conditional access. They’re intentionally minimal rather than full IAM configurations.
The examples reference pre-existing infrastructure such as TagValue resources (via value.name). They focus on configuring the binding rather than creating the tag hierarchy.
To keep things focused, common IAM patterns are omitted, including:
- Policy-level management (TagValueIamPolicy)
- Single-member grants (TagValueIamMember)
- Complex condition expressions (location, resource attributes)
- Custom role definitions
These omissions are intentional: the goal is to illustrate how each binding feature is wired, not provide drop-in access control modules. See the TagValueIamBinding resource reference for all available configuration options.
Let's manage GCP Tag Value IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
gcp.tags.TagValueIamPolicy cannot be used with gcp.tags.TagValueIamBinding or gcp.tags.TagValueIamMember because they will conflict over the IAM policy. Choose one approach: use TagValueIamPolicy for full policy control, or use TagValueIamBinding/TagValueIamMember for granular management.gcp.tags.TagValueIamBinding and gcp.tags.TagValueIamMember will conflict if they both grant privileges to the same role.IAM Roles & Members
The members property supports multiple formats:
- Special identifiers:
allUsers,allAuthenticatedUsers - User accounts:
user:alice@gmail.com - Service accounts:
serviceAccount:my-app@appspot.gserviceaccount.com - Groups:
group:admins@example.com - Domains:
domain:example.com - Project roles:
projectOwner:my-project,projectEditor:my-project,projectViewer:my-project - Federated identities:
principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role. This applies to both configuration and import.IAM Conditions
condition property with title, description, and expression fields. For example, to expire access at a specific time: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")".Resource Configuration
role, tagValue, and condition properties are immutable and cannot be changed after creation. You must recreate the resource to modify these values.- TagValueIamPolicy: Authoritative, replaces the entire IAM policy
- TagValueIamBinding: Authoritative for a specific role, preserves other roles
- TagValueIamMember: Non-authoritative, adds a single member to a role without affecting other members