The gcp:iam/workloadIdentityPoolIamBinding:WorkloadIdentityPoolIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Workload Identity Pools, controlling which identities can access the pool. This guide focuses on three capabilities: authoritative role bindings with multiple members, time-based access with IAM Conditions, and non-authoritative member additions.
Workload Identity Pool IAM resources reference existing pools and grant access to users, service accounts, groups, or federated identities. The examples are intentionally small. Combine them with your own pool configuration and identity management strategy.
Grant a role to multiple members with IamBinding
When you need to grant the same role to multiple users or service accounts, IamBinding provides authoritative control over the complete member list for that role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iam.WorkloadIdentityPoolIamBinding("binding", {
project: example.project,
workloadIdentityPoolId: example.workloadIdentityPoolId,
role: "roles/iam.workloadIdentityPoolViewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iam.WorkloadIdentityPoolIamBinding("binding",
project=example["project"],
workload_identity_pool_id=example["workloadIdentityPoolId"],
role="roles/iam.workloadIdentityPoolViewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewWorkloadIdentityPoolIamBinding(ctx, "binding", &iam.WorkloadIdentityPoolIamBindingArgs{
Project: pulumi.Any(example.Project),
WorkloadIdentityPoolId: pulumi.Any(example.WorkloadIdentityPoolId),
Role: pulumi.String("roles/iam.workloadIdentityPoolViewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iam.WorkloadIdentityPoolIamBinding("binding", new()
{
Project = example.Project,
WorkloadIdentityPoolId = example.WorkloadIdentityPoolId,
Role = "roles/iam.workloadIdentityPoolViewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPoolIamBinding;
import com.pulumi.gcp.iam.WorkloadIdentityPoolIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WorkloadIdentityPoolIamBinding("binding", WorkloadIdentityPoolIamBindingArgs.builder()
.project(example.project())
.workloadIdentityPoolId(example.workloadIdentityPoolId())
.role("roles/iam.workloadIdentityPoolViewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iam:WorkloadIdentityPoolIamBinding
properties:
project: ${example.project}
workloadIdentityPoolId: ${example.workloadIdentityPoolId}
role: roles/iam.workloadIdentityPoolViewer
members:
- user:jane@example.com
The role property specifies which permission set to grant. The members array lists all identities that should have this role; IamBinding replaces any existing members for this role. The workloadIdentityPoolId identifies which pool to configure. This resource is authoritative for the specified role, meaning it owns the complete list of members.
Add time-based access with IAM Conditions
Access requirements sometimes include temporal constraints, such as permissions that expire after a specific date.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iam.WorkloadIdentityPoolIamBinding("binding", {
project: example.project,
workloadIdentityPoolId: example.workloadIdentityPoolId,
role: "roles/iam.workloadIdentityPoolViewer",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iam.WorkloadIdentityPoolIamBinding("binding",
project=example["project"],
workload_identity_pool_id=example["workloadIdentityPoolId"],
role="roles/iam.workloadIdentityPoolViewer",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewWorkloadIdentityPoolIamBinding(ctx, "binding", &iam.WorkloadIdentityPoolIamBindingArgs{
Project: pulumi.Any(example.Project),
WorkloadIdentityPoolId: pulumi.Any(example.WorkloadIdentityPoolId),
Role: pulumi.String("roles/iam.workloadIdentityPoolViewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &iam.WorkloadIdentityPoolIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iam.WorkloadIdentityPoolIamBinding("binding", new()
{
Project = example.Project,
WorkloadIdentityPoolId = example.WorkloadIdentityPoolId,
Role = "roles/iam.workloadIdentityPoolViewer",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Iam.Inputs.WorkloadIdentityPoolIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPoolIamBinding;
import com.pulumi.gcp.iam.WorkloadIdentityPoolIamBindingArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WorkloadIdentityPoolIamBinding("binding", WorkloadIdentityPoolIamBindingArgs.builder()
.project(example.project())
.workloadIdentityPoolId(example.workloadIdentityPoolId())
.role("roles/iam.workloadIdentityPoolViewer")
.members("user:jane@example.com")
.condition(WorkloadIdentityPoolIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:iam:WorkloadIdentityPoolIamBinding
properties:
project: ${example.project}
workloadIdentityPoolId: ${example.workloadIdentityPoolId}
role: roles/iam.workloadIdentityPoolViewer
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal logic to the binding. The expression property uses CEL (Common Expression Language) to define when access is valid; here, request.time checks the current timestamp against a deadline. The title and description provide human-readable context. IAM Conditions have known limitations documented by Google Cloud, particularly around certain resource types and permission combinations.
Add a single member to a role with IamMember
When you need to grant access to one identity without affecting other members of the same role, IamMember provides non-authoritative, additive control.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iam.WorkloadIdentityPoolIamMember("member", {
project: example.project,
workloadIdentityPoolId: example.workloadIdentityPoolId,
role: "roles/iam.workloadIdentityPoolViewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iam.WorkloadIdentityPoolIamMember("member",
project=example["project"],
workload_identity_pool_id=example["workloadIdentityPoolId"],
role="roles/iam.workloadIdentityPoolViewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewWorkloadIdentityPoolIamMember(ctx, "member", &iam.WorkloadIdentityPoolIamMemberArgs{
Project: pulumi.Any(example.Project),
WorkloadIdentityPoolId: pulumi.Any(example.WorkloadIdentityPoolId),
Role: pulumi.String("roles/iam.workloadIdentityPoolViewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iam.WorkloadIdentityPoolIamMember("member", new()
{
Project = example.Project,
WorkloadIdentityPoolId = example.WorkloadIdentityPoolId,
Role = "roles/iam.workloadIdentityPoolViewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPoolIamMember;
import com.pulumi.gcp.iam.WorkloadIdentityPoolIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new WorkloadIdentityPoolIamMember("member", WorkloadIdentityPoolIamMemberArgs.builder()
.project(example.project())
.workloadIdentityPoolId(example.workloadIdentityPoolId())
.role("roles/iam.workloadIdentityPoolViewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iam:WorkloadIdentityPoolIamMember
properties:
project: ${example.project}
workloadIdentityPoolId: ${example.workloadIdentityPoolId}
role: roles/iam.workloadIdentityPoolViewer
member: user:jane@example.com
The member property specifies a single identity to add to the role. Unlike IamBinding, IamMember is non-authoritative: it adds this member without removing others. You can use multiple IamMember resources for the same role, or combine IamMember with IamBinding as long as they target different roles.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and temporal access constraints. They’re intentionally minimal rather than full identity management solutions.
The examples reference pre-existing infrastructure such as Workload Identity Pools and GCP projects with configured provider. They focus on configuring access rather than provisioning the pools themselves.
To keep things focused, common IAM patterns are omitted, including:
- Full IAM policy management (IamPolicy resource)
- Custom role definitions and formatting
- Federated identity configuration and attribute mapping
- Multiple condition expressions and complex logic
These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the Workload Identity Pool IAM Binding resource reference for all available configuration options.
Let's configure GCP Workload Identity Pool IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
Can I use WorkloadIdentityPoolIamPolicy with WorkloadIdentityPoolIamBinding or WorkloadIdentityPoolIamMember?
No,
WorkloadIdentityPoolIamPolicy cannot be used with WorkloadIdentityPoolIamBinding or WorkloadIdentityPoolIamMember because they will conflict over policy management. Use WorkloadIdentityPoolIamPolicy alone for authoritative control, or use WorkloadIdentityPoolIamBinding/WorkloadIdentityPoolIamMember together.Can I use WorkloadIdentityPoolIamBinding with WorkloadIdentityPoolIamMember?
Yes, but only if they grant different roles. Using both resources for the same role will cause conflicts.
What's the difference between WorkloadIdentityPoolIamPolicy, WorkloadIdentityPoolIamBinding, and WorkloadIdentityPoolIamMember?
WorkloadIdentityPoolIamPolicy is authoritative and replaces the entire IAM policy. WorkloadIdentityPoolIamBinding is authoritative for a specific role but preserves other roles. WorkloadIdentityPoolIamMember is non-authoritative and adds individual members without affecting existing members for that role.IAM Configuration & Member Types
What types of identities can I grant access to in the members property?
You can grant access to:
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, and federated identities using principal identifiers (e.g., principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com).How do I specify custom roles?
Custom roles must use the full format
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.IAM Conditions & Advanced Features
How do I add time-based or attribute-based access restrictions?
Use the
condition property with title, description, and expression fields. For time-based expiration, set expression to something like request.time < timestamp(\"2020-01-01T00:00:00Z\").What limitations exist for IAM Conditions?
IAM Conditions are supported but have known limitations. Review the GCP documentation on IAM Conditions limitations if you encounter issues.
Resource Management & Immutability
What properties can't I change after creating the resource?
The
role, workloadIdentityPoolId, project, and condition properties are immutable and cannot be changed after creation. You must recreate the resource to modify these values.Is this resource production-ready?
This resource is in beta and should be used with the terraform-provider-google-beta provider. Review GCP’s beta resource guidelines before using in production.