No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

GCP Classic provider:

If you're OK setting IAM on everything in the project, `projects.IAMPolicy` will be authoritative for the entire GCP project and all buckets under it. I think that's best practice.

if you mean ACLs on the bucket, which I think is confusingly also called IAM in the cloud console, we have a `storage.BucketACL` and `storage.ObjectACL`, though I think you may need to experiment to see how that interacts with IAMPolicy.

For the native provider, project-wide IAM policy isn't where I would expect to see it, so I'll need to follow up there.

For storage buckets, <https://www.pulumi.com/registry/packages/google-native/api-docs/storage/v1/bucketiampolicy/> storage.v1.bucketiampolicy and storage.v1.objectiampolicy are the right counterparts.

So, I'd explored this a little with `google-native` and my issues were (IIRC) that I had to get the current IAM policy for the bucket, make any changes (ie. append an `allusers` entry), then apply that back to the bucket.

But, I couldn't figure out how to do this _after_ the bucket was created as these calls simply ran ever time, and would throw an exception if the bucket did not already exist.

I tried with some `.then` calls (in attempts to make a dependency graph) but I wasn't sure how to do it, and the only way I made this succeed was to  create the bucket with 1 run then add the ACL change in later run

Was the bucket you wanted to define policy for created via Pulumi or another provider? I'm asking to probe why you're needing to append changes and write back.