Configure GCP Workforce Pool IAM Bindings

The gcp:iam/workforcePoolIamBinding:WorkforcePoolIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for workforce pools. It grants roles to lists of members while preserving other roles on the pool. This guide focuses on two capabilities: authoritative role binding and non-authoritative member addition.

Workforce pool IAM resources reference existing pools and must not conflict with WorkforcePoolIamPolicy resources, which replace the entire policy. The examples are intentionally small. Combine them with your own workforce pool infrastructure and identity management.

Grant a role to multiple members at once

When multiple users or service accounts need the same permissions on a workforce pool, binding them together ensures consistent access control.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.iam.WorkforcePoolIamBinding("binding", {
    location: example.location,
    workforcePoolId: example.workforcePoolId,
    role: "roles/iam.workforcePoolAdmin",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.iam.WorkforcePoolIamBinding("binding",
    location=example["location"],
    workforce_pool_id=example["workforcePoolId"],
    role="roles/iam.workforcePoolAdmin",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewWorkforcePoolIamBinding(ctx, "binding", &iam.WorkforcePoolIamBindingArgs{
			Location:        pulumi.Any(example.Location),
			WorkforcePoolId: pulumi.Any(example.WorkforcePoolId),
			Role:            pulumi.String("roles/iam.workforcePoolAdmin"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Iam.WorkforcePoolIamBinding("binding", new()
    {
        Location = example.Location,
        WorkforcePoolId = example.WorkforcePoolId,
        Role = "roles/iam.workforcePoolAdmin",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePoolIamBinding;
import com.pulumi.gcp.iam.WorkforcePoolIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new WorkforcePoolIamBinding("binding", WorkforcePoolIamBindingArgs.builder()
            .location(example.location())
            .workforcePoolId(example.workforcePoolId())
            .role("roles/iam.workforcePoolAdmin")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:iam:WorkforcePoolIamBinding
    properties:
      location: ${example.location}
      workforcePoolId: ${example.workforcePoolId}
      role: roles/iam.workforcePoolAdmin
      members:
        - user:jane@example.com

The binding is authoritative for the specified role: it replaces all members currently assigned to that role on the workforce pool. The members array accepts user emails, service accounts, groups, domains, and federated identities. The workforcePoolId and location properties identify which pool to configure.

Add a single member to a role incrementally

Teams that manage access individually can add members one at a time without affecting other members already assigned to the role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.iam.WorkforcePoolIamMember("member", {
    location: example.location,
    workforcePoolId: example.workforcePoolId,
    role: "roles/iam.workforcePoolAdmin",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.iam.WorkforcePoolIamMember("member",
    location=example["location"],
    workforce_pool_id=example["workforcePoolId"],
    role="roles/iam.workforcePoolAdmin",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewWorkforcePoolIamMember(ctx, "member", &iam.WorkforcePoolIamMemberArgs{
			Location:        pulumi.Any(example.Location),
			WorkforcePoolId: pulumi.Any(example.WorkforcePoolId),
			Role:            pulumi.String("roles/iam.workforcePoolAdmin"),
			Member:          pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Iam.WorkforcePoolIamMember("member", new()
    {
        Location = example.Location,
        WorkforcePoolId = example.WorkforcePoolId,
        Role = "roles/iam.workforcePoolAdmin",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePoolIamMember;
import com.pulumi.gcp.iam.WorkforcePoolIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new WorkforcePoolIamMember("member", WorkforcePoolIamMemberArgs.builder()
            .location(example.location())
            .workforcePoolId(example.workforcePoolId())
            .role("roles/iam.workforcePoolAdmin")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:iam:WorkforcePoolIamMember
    properties:
      location: ${example.location}
      workforcePoolId: ${example.workforcePoolId}
      role: roles/iam.workforcePoolAdmin
      member: user:jane@example.com

This approach is non-authoritative: it adds the specified member to the role without removing existing members. Use WorkforcePoolIamMember when you need to grant access incrementally, and WorkforcePoolIamBinding when you want to define the complete member list for a role. The member property accepts the same identity formats as the members array in bindings.

Beyond these examples

These snippets focus on specific workforce pool IAM features: role binding and member assignment, and workforce pool IAM configuration. They’re intentionally minimal rather than full identity management solutions.

The examples reference pre-existing infrastructure such as workforce pools (workforcePoolId) and location configuration. They focus on configuring IAM bindings rather than provisioning the pools themselves.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Policy-level IAM management (WorkforcePoolIamPolicy)
Custom role formatting ([projects|organizations]/{parent}/roles/{name})
Federated identity principals and workload identity

These omissions are intentional: the goal is to illustrate how workforce pool IAM bindings are wired, not provide drop-in identity modules. See the WorkforcePoolIamBinding resource reference for all available configuration options.

Let's configure GCP Workforce Pool IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between WorkforcePoolIamPolicy, WorkforcePoolIamBinding, and WorkforcePoolIamMember?

WorkforcePoolIamPolicy is authoritative and replaces the entire IAM policy. WorkforcePoolIamBinding is authoritative for a specific role, preserving other roles. WorkforcePoolIamMember is non-authoritative, adding a single member while preserving other members for that role.

Can I use WorkforcePoolIamPolicy with WorkforcePoolIamBinding or WorkforcePoolIamMember?

No, these resources will conflict and fight over the policy. Use WorkforcePoolIamPolicy alone for full control, or use WorkforcePoolIamBinding and WorkforcePoolIamMember together (but never WorkforcePoolIamPolicy with the others).

Can I use WorkforcePoolIamBinding and WorkforcePoolIamMember together?

Yes, but only if they don’t grant privileges to the same role. If both resources target the same role, they will conflict.

Configuration & Immutability

What properties can't I change after creating a WorkforcePoolIamBinding?

The location, role, workforcePoolId, and condition properties are immutable and cannot be changed after creation.

How do I specify a custom role?

Custom roles must use the full format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.

Identity Management

What types of identities can I add to members?

You can specify users (user:email@example.com), service accounts (serviceAccount:email@example.com), groups (group:email@example.com), domains (domain:example.com), special identifiers (allUsers, allAuthenticatedUsers), project roles (projectOwner:projectid), and federated identities (see Principal identifiers documentation for format).

How do I grant access to everyone on the internet?

Use the special identifier allUsers in the members array to grant access to anyone, with or without a Google account.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides