Account
Three different resources help you manage IAM policies on billing accounts. Each of these resources serves a different use case:
gcp.billing.AccountIamPolicy: Authoritative. Sets the IAM policy for the billing accounts and replaces any existing policy already attached.gcp.billing.AccountIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the table are preserved.gcp.billing.AccountIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role of the billing accounts are preserved.
Note:
gcp.billing.AccountIamPolicycannot be used in conjunction withgcp.billing.AccountIamBindingandgcp.billing.AccountIamMemberor they will fight over what your policy should be. In addition, be careful not to accidentally unset ownership of the billing account asgcp.billing.AccountIamPolicyreplaces the entire policy. Note:gcp.billing.AccountIamBindingresources can be used in conjunction withgcp.billing.AccountIamMemberresources only if they do not grant privilege to the same role.
google\_billing\_account\_iam\_policy
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/billing.viewer",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.billing.AccountIamPolicy("editor", {
billingAccountId: "00AA00-000AAA-00AA0A",
policyData: admin.then(admin => admin.policyData),
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[gcp.organizations.GetIAMPolicyBindingArgs(
role="roles/billing.viewer",
members=["user:jane@example.com"],
)])
editor = gcp.billing.AccountIamPolicy("editor",
billing_account_id="00AA00-000AAA-00AA0A",
policy_data=admin.policy_data)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/billing.viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.Billing.AccountIamPolicy("editor", new()
{
BillingAccountId = "00AA00-000AAA-00AA0A",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/billing"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/billing.viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = billing.NewAccountIamPolicy(ctx, "editor", &billing.AccountIamPolicyArgs{
BillingAccountId: pulumi.String("00AA00-000AAA-00AA0A"),
PolicyData: *pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.billing.AccountIamPolicy;
import com.pulumi.gcp.billing.AccountIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/billing.viewer")
.members("user:jane@example.com")
.build())
.build());
var editor = new AccountIamPolicy("editor", AccountIamPolicyArgs.builder()
.billingAccountId("00AA00-000AAA-00AA0A")
.policyData(admin.applyValue(getIAMPolicyResult -> getIAMPolicyResult.policyData()))
.build());
}
}Content copied to clipboard
resources:
editor:
type: gcp:billing:AccountIamPolicy
properties:
billingAccountId: 00AA00-000AAA-00AA0A
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
Function: gcp:organizations:getIAMPolicy
Arguments:
bindings:
- role: roles/billing.viewer
members:
- user:jane@example.comContent copied to clipboard
google\_billing\_account\_iam\_binding
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.billing.AccountIamBinding("editor", {
billingAccountId: "00AA00-000AAA-00AA0A",
members: ["user:jane@example.com"],
role: "roles/billing.viewer",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
editor = gcp.billing.AccountIamBinding("editor",
billing_account_id="00AA00-000AAA-00AA0A",
members=["user:jane@example.com"],
role="roles/billing.viewer")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Billing.AccountIamBinding("editor", new()
{
BillingAccountId = "00AA00-000AAA-00AA0A",
Members = new[]
{
"user:jane@example.com",
},
Role = "roles/billing.viewer",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/billing"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := billing.NewAccountIamBinding(ctx, "editor", &billing.AccountIamBindingArgs{
BillingAccountId: pulumi.String("00AA00-000AAA-00AA0A"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Role: pulumi.String("roles/billing.viewer"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.billing.AccountIamBinding;
import com.pulumi.gcp.billing.AccountIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new AccountIamBinding("editor", AccountIamBindingArgs.builder()
.billingAccountId("00AA00-000AAA-00AA0A")
.members("user:jane@example.com")
.role("roles/billing.viewer")
.build());
}
}Content copied to clipboard
resources:
editor:
type: gcp:billing:AccountIamBinding
properties:
billingAccountId: 00AA00-000AAA-00AA0A
members:
- user:jane@example.com
role: roles/billing.viewerContent copied to clipboard
google\_billing\_account\_iam\_member
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.billing.AccountIamMember("editor", {
billingAccountId: "00AA00-000AAA-00AA0A",
member: "user:jane@example.com",
role: "roles/billing.viewer",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
editor = gcp.billing.AccountIamMember("editor",
billing_account_id="00AA00-000AAA-00AA0A",
member="user:jane@example.com",
role="roles/billing.viewer")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Billing.AccountIamMember("editor", new()
{
BillingAccountId = "00AA00-000AAA-00AA0A",
Member = "user:jane@example.com",
Role = "roles/billing.viewer",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/billing"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := billing.NewAccountIamMember(ctx, "editor", &billing.AccountIamMemberArgs{
BillingAccountId: pulumi.String("00AA00-000AAA-00AA0A"),
Member: pulumi.String("user:jane@example.com"),
Role: pulumi.String("roles/billing.viewer"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.billing.AccountIamMember;
import com.pulumi.gcp.billing.AccountIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new AccountIamMember("editor", AccountIamMemberArgs.builder()
.billingAccountId("00AA00-000AAA-00AA0A")
.member("user:jane@example.com")
.role("roles/billing.viewer")
.build());
}
}Content copied to clipboard
resources:
editor:
type: gcp:billing:AccountIamMember
properties:
billingAccountId: 00AA00-000AAA-00AA0A
member: user:jane@example.com
role: roles/billing.viewerContent copied to clipboard
Import
Instance IAM resources can be imported using the project, table name, role and/or member.
$ pulumi import gcp:billing/accountIamPolicy:AccountIamPolicy binding "your-billing-account-id"Content copied to clipboard
$ pulumi import gcp:billing/accountIamPolicy:AccountIamPolicy binding "your-billing-account-id roles/billing.user"Content copied to clipboard
$ pulumi import gcp:billing/accountIamPolicy:AccountIamPolicy binding "your-billing-account-id roles/billing.user user:jane@example.com"Content copied to clipboard
->Custom RolesIf you're importing a IAM resource with a custom role, make sure to use the full name of the custom role, e.g. organizations/my-org-id/roles/my-custom-role.