The gcp:workstations/workstationConfigIamPolicy:WorkstationConfigIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Cloud Workstations workstation configs. This guide focuses on three approaches: authoritative policy replacement, role-based member management, and incremental member additions.
These resources belong to the Cloud Workstations IAM family. Three related resources serve different use cases: WorkstationConfigIamPolicy replaces the entire policy, WorkstationConfigIamBinding manages all members for a specific role, and WorkstationConfigIamMember adds individual members. The examples are intentionally small. Combine them with your own workstation configs and organizational access patterns.
Replace the entire IAM policy for a workstation config
When you need complete control over access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.workstations.WorkstationConfigIamPolicy("policy", {
project: _default.project,
location: _default.location,
workstationClusterId: _default.workstationClusterId,
workstationConfigId: _default.workstationConfigId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.workstations.WorkstationConfigIamPolicy("policy",
project=default["project"],
location=default["location"],
workstation_cluster_id=default["workstationClusterId"],
workstation_config_id=default["workstationConfigId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workstations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = workstations.NewWorkstationConfigIamPolicy(ctx, "policy", &workstations.WorkstationConfigIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
WorkstationClusterId: pulumi.Any(_default.WorkstationClusterId),
WorkstationConfigId: pulumi.Any(_default.WorkstationConfigId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Workstations.WorkstationConfigIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
WorkstationClusterId = @default.WorkstationClusterId,
WorkstationConfigId = @default.WorkstationConfigId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.workstations.WorkstationConfigIamPolicy;
import com.pulumi.gcp.workstations.WorkstationConfigIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new WorkstationConfigIamPolicy("policy", WorkstationConfigIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.workstationClusterId(default_.workstationClusterId())
.workstationConfigId(default_.workstationConfigId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:workstations:WorkstationConfigIamPolicy
properties:
project: ${default.project}
location: ${default.location}
workstationClusterId: ${default.workstationClusterId}
workstationConfigId: ${default.workstationConfigId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The WorkstationConfigIamPolicy resource is authoritative: it replaces the entire IAM policy with the policyData you provide. The getIAMPolicy data source constructs the policy document from bindings (role-to-members mappings). This approach gives you a single source of truth but cannot be used alongside WorkstationConfigIamBinding or WorkstationConfigIamMember resources, as they would conflict over policy ownership.
Grant a role to multiple members at once
Teams often need to grant the same role to several users while preserving other roles already assigned.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.workstations.WorkstationConfigIamBinding("binding", {
project: _default.project,
location: _default.location,
workstationClusterId: _default.workstationClusterId,
workstationConfigId: _default.workstationConfigId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.workstations.WorkstationConfigIamBinding("binding",
project=default["project"],
location=default["location"],
workstation_cluster_id=default["workstationClusterId"],
workstation_config_id=default["workstationConfigId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workstations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workstations.NewWorkstationConfigIamBinding(ctx, "binding", &workstations.WorkstationConfigIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
WorkstationClusterId: pulumi.Any(_default.WorkstationClusterId),
WorkstationConfigId: pulumi.Any(_default.WorkstationConfigId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Workstations.WorkstationConfigIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
WorkstationClusterId = @default.WorkstationClusterId,
WorkstationConfigId = @default.WorkstationConfigId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workstations.WorkstationConfigIamBinding;
import com.pulumi.gcp.workstations.WorkstationConfigIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WorkstationConfigIamBinding("binding", WorkstationConfigIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.workstationClusterId(default_.workstationClusterId())
.workstationConfigId(default_.workstationConfigId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:workstations:WorkstationConfigIamBinding
properties:
project: ${default.project}
location: ${default.location}
workstationClusterId: ${default.workstationClusterId}
workstationConfigId: ${default.workstationConfigId}
role: roles/viewer
members:
- user:jane@example.com
The WorkstationConfigIamBinding resource is authoritative for a single role: it sets the complete member list for that role while leaving other roles untouched. The members property accepts a list of identities (users, service accounts, groups). You can use multiple Binding resources for different roles, or combine them with Member resources as long as they don’t target the same role.
Add a single member to a role incrementally
When you need to grant access to one user without affecting other members or roles, you can add individual bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.workstations.WorkstationConfigIamMember("member", {
project: _default.project,
location: _default.location,
workstationClusterId: _default.workstationClusterId,
workstationConfigId: _default.workstationConfigId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.workstations.WorkstationConfigIamMember("member",
project=default["project"],
location=default["location"],
workstation_cluster_id=default["workstationClusterId"],
workstation_config_id=default["workstationConfigId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/workstations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workstations.NewWorkstationConfigIamMember(ctx, "member", &workstations.WorkstationConfigIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
WorkstationClusterId: pulumi.Any(_default.WorkstationClusterId),
WorkstationConfigId: pulumi.Any(_default.WorkstationConfigId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Workstations.WorkstationConfigIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
WorkstationClusterId = @default.WorkstationClusterId,
WorkstationConfigId = @default.WorkstationConfigId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.workstations.WorkstationConfigIamMember;
import com.pulumi.gcp.workstations.WorkstationConfigIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new WorkstationConfigIamMember("member", WorkstationConfigIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.workstationClusterId(default_.workstationClusterId())
.workstationConfigId(default_.workstationConfigId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:workstations:WorkstationConfigIamMember
properties:
project: ${default.project}
location: ${default.location}
workstationClusterId: ${default.workstationClusterId}
workstationConfigId: ${default.workstationConfigId}
role: roles/viewer
member: user:jane@example.com
The WorkstationConfigIamMember resource is non-authoritative: it adds one member to one role without removing other members. The member property specifies a single identity. This approach works well for incremental access grants and can coexist with other Member resources and Binding resources (as long as Bindings don’t manage the same role).
Beyond these examples
These snippets focus on specific IAM policy features: authoritative and incremental policy management, and role-based and member-based access control. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as workstation configs, workstation clusters, and GCP projects and locations. They focus on configuring IAM policies rather than provisioning the workstation infrastructure itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (conditions)
- Audit logging configuration (auditConfigs)
- Custom role definitions
- Service account impersonation
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the WorkstationConfigIamPolicy resource reference for all available configuration options.
Let's manage GCP Cloud Workstations IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
WorkstationConfigIamPolicy cannot be used with WorkstationConfigIamBinding or WorkstationConfigIamMember because they will conflict over the policy state. Use IamPolicy alone for full control, or use IamBinding/IamMember together for incremental management.Choose based on your needs:
WorkstationConfigIamPolicy- Authoritative, replaces the entire IAM policyWorkstationConfigIamBinding- Authoritative for a specific role, preserves other rolesWorkstationConfigIamMember- Non-authoritative, adds a single member without affecting others
WorkstationConfigIamBinding and WorkstationConfigIamMember can only be used together if they manage different roles. Using both for the same role causes conflicts.Configuration & Setup
terraform-provider-google-beta provider.gcp.organizations.getIAMPolicy data source to generate policyData, as shown in the example.Import & Migration
Four formats are supported:
- Full path:
projects/{{project}}/locations/{{location}}/workstationClusters/{{workstation_cluster_id}}/workstationConfigs/{{workstation_config_id}} - Without projects:
{{project}}/{{location}}/{{workstation_cluster_id}}/{{workstation_config_id}} - Without project:
{{location}}/{{workstation_cluster_id}}/{{workstation_config_id}} - Config ID only:
{{workstation_config_id}}