The gcp:bigquery/datapolicyv2DataPolicyIamMember:Datapolicyv2DataPolicyIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for BigQuery data policies by adding individual members to roles without affecting other grants. This guide focuses on three IAM management approaches: single-member grants (IamMember), multi-member role management (IamBinding), and complete policy replacement (IamPolicy).
These resources reference existing BigQuery data policies and require project and location configuration. The examples are intentionally small. Combine them with your own data policy resources and identity management.
Grant a single user access to a data policy
When you need to add one identity to a role without affecting other permissions, the IamMember resource provides non-authoritative access control.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.bigquery.Datapolicyv2DataPolicyIamMember("member", {
project: basicDataPolicy.project,
location: basicDataPolicy.location,
dataPolicyId: basicDataPolicy.dataPolicyId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.bigquery.Datapolicyv2DataPolicyIamMember("member",
project=basic_data_policy["project"],
location=basic_data_policy["location"],
data_policy_id=basic_data_policy["dataPolicyId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigquery.NewDatapolicyv2DataPolicyIamMember(ctx, "member", &bigquery.Datapolicyv2DataPolicyIamMemberArgs{
Project: pulumi.Any(basicDataPolicy.Project),
Location: pulumi.Any(basicDataPolicy.Location),
DataPolicyId: pulumi.Any(basicDataPolicy.DataPolicyId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.BigQuery.Datapolicyv2DataPolicyIamMember("member", new()
{
Project = basicDataPolicy.Project,
Location = basicDataPolicy.Location,
DataPolicyId = basicDataPolicy.DataPolicyId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.Datapolicyv2DataPolicyIamMember;
import com.pulumi.gcp.bigquery.Datapolicyv2DataPolicyIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new Datapolicyv2DataPolicyIamMember("member", Datapolicyv2DataPolicyIamMemberArgs.builder()
.project(basicDataPolicy.project())
.location(basicDataPolicy.location())
.dataPolicyId(basicDataPolicy.dataPolicyId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:bigquery:Datapolicyv2DataPolicyIamMember
properties:
project: ${basicDataPolicy.project}
location: ${basicDataPolicy.location}
dataPolicyId: ${basicDataPolicy.dataPolicyId}
role: roles/viewer
member: user:jane@example.com
The member property specifies the identity using formats like “user:jane@example.com” for Google accounts or “serviceAccount:app@project.iam.gserviceaccount.com” for service accounts. The role property defines the permission level. This resource adds the member without removing other identities already granted the same role.
Grant multiple users the same role
When several identities need identical permissions, the IamBinding resource manages all members for a specific role together.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.bigquery.Datapolicyv2DataPolicyIamBinding("binding", {
project: basicDataPolicy.project,
location: basicDataPolicy.location,
dataPolicyId: basicDataPolicy.dataPolicyId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.bigquery.Datapolicyv2DataPolicyIamBinding("binding",
project=basic_data_policy["project"],
location=basic_data_policy["location"],
data_policy_id=basic_data_policy["dataPolicyId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigquery.NewDatapolicyv2DataPolicyIamBinding(ctx, "binding", &bigquery.Datapolicyv2DataPolicyIamBindingArgs{
Project: pulumi.Any(basicDataPolicy.Project),
Location: pulumi.Any(basicDataPolicy.Location),
DataPolicyId: pulumi.Any(basicDataPolicy.DataPolicyId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.BigQuery.Datapolicyv2DataPolicyIamBinding("binding", new()
{
Project = basicDataPolicy.Project,
Location = basicDataPolicy.Location,
DataPolicyId = basicDataPolicy.DataPolicyId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.Datapolicyv2DataPolicyIamBinding;
import com.pulumi.gcp.bigquery.Datapolicyv2DataPolicyIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new Datapolicyv2DataPolicyIamBinding("binding", Datapolicyv2DataPolicyIamBindingArgs.builder()
.project(basicDataPolicy.project())
.location(basicDataPolicy.location())
.dataPolicyId(basicDataPolicy.dataPolicyId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:bigquery:Datapolicyv2DataPolicyIamBinding
properties:
project: ${basicDataPolicy.project}
location: ${basicDataPolicy.location}
dataPolicyId: ${basicDataPolicy.dataPolicyId}
role: roles/viewer
members:
- user:jane@example.com
The members property takes a list of identities. This resource is authoritative for the specified role, meaning it replaces any previous member list for that role while preserving other roles in the policy. Use IamBinding when you want to manage a role’s complete member list as a unit.
Replace the entire IAM policy
For complete control over all IAM bindings, the IamPolicy resource replaces the entire policy in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.bigquery.Datapolicyv2DataPolicyIamPolicy("policy", {
project: basicDataPolicy.project,
location: basicDataPolicy.location,
dataPolicyId: basicDataPolicy.dataPolicyId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.bigquery.Datapolicyv2DataPolicyIamPolicy("policy",
project=basic_data_policy["project"],
location=basic_data_policy["location"],
data_policy_id=basic_data_policy["dataPolicyId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = bigquery.NewDatapolicyv2DataPolicyIamPolicy(ctx, "policy", &bigquery.Datapolicyv2DataPolicyIamPolicyArgs{
Project: pulumi.Any(basicDataPolicy.Project),
Location: pulumi.Any(basicDataPolicy.Location),
DataPolicyId: pulumi.Any(basicDataPolicy.DataPolicyId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.BigQuery.Datapolicyv2DataPolicyIamPolicy("policy", new()
{
Project = basicDataPolicy.Project,
Location = basicDataPolicy.Location,
DataPolicyId = basicDataPolicy.DataPolicyId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.bigquery.Datapolicyv2DataPolicyIamPolicy;
import com.pulumi.gcp.bigquery.Datapolicyv2DataPolicyIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new Datapolicyv2DataPolicyIamPolicy("policy", Datapolicyv2DataPolicyIamPolicyArgs.builder()
.project(basicDataPolicy.project())
.location(basicDataPolicy.location())
.dataPolicyId(basicDataPolicy.dataPolicyId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:bigquery:Datapolicyv2DataPolicyIamPolicy
properties:
project: ${basicDataPolicy.project}
location: ${basicDataPolicy.location}
dataPolicyId: ${basicDataPolicy.dataPolicyId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts a complete IAM policy document, typically constructed using the getIAMPolicy data source. This resource is fully authoritative, removing any grants not explicitly listed in the policy. The IamPolicy resource cannot be used alongside IamBinding or IamMember resources, as they will conflict over policy ownership.
Beyond these examples
These snippets focus on specific IAM management patterns: single-member grants (IamMember), role-level member lists (IamBinding), and complete policy replacement (IamPolicy). They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as BigQuery data policies (via dataPolicyId) and GCP project and location configuration. They focus on IAM binding configuration rather than provisioning the underlying data policies.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Service account creation and management
- Data policy creation and configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Datapolicyv2DataPolicyIamMember resource reference for all available configuration options.
Let's manage GCP BigQuery Data Policy IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Datapolicyv2DataPolicyIamPolicy cannot be used with Datapolicyv2DataPolicyIamBinding or Datapolicyv2DataPolicyIamMember because they will conflict over the policy. Additionally, Datapolicyv2DataPolicyIamBinding and Datapolicyv2DataPolicyIamMember can only be used together if they don’t grant privileges to the same role.Datapolicyv2DataPolicyIamPolicy is authoritative and replaces the entire IAM policy. Datapolicyv2DataPolicyIamBinding is authoritative for a specific role and preserves other roles. Datapolicyv2DataPolicyIamMember is non-authoritative and adds a single member to a role while preserving other members.Datapolicyv2DataPolicyIamMember to add individual members without affecting other members of the same role. Use Datapolicyv2DataPolicyIamBinding when you want to manage all members for a specific role authoritatively.Identity & Role Configuration
member parameter supports multiple formats: allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Resource Properties
dataPolicyId, location, project, member, role, and condition. Changing any of these requires recreating the resource.