Manage GCP BigQuery IAM Bindings

The gcp:bigquery/iamBinding:IamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for BigQuery tables by granting a specific role to a list of members. This guide focuses on two capabilities: authoritative role binding for multiple members and non-authoritative member addition.

IamBinding is one of three IAM resources for BigQuery tables. It authoritatively controls who has a specific role while preserving other roles on the table. IamBinding can work alongside IamMember resources (for different roles), but conflicts with IamPolicy. The examples are intentionally small. Combine them with your own BigQuery tables and access requirements.

Grant a role to multiple members at once

Teams managing table access often need to grant the same role to multiple users, service accounts, or groups.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.bigquery.IamBinding("binding", {
    project: test.project,
    datasetId: test.datasetId,
    tableId: test.tableId,
    role: "roles/bigquery.dataOwner",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.bigquery.IamBinding("binding",
    project=test["project"],
    dataset_id=test["datasetId"],
    table_id=test["tableId"],
    role="roles/bigquery.dataOwner",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := bigquery.NewIamBinding(ctx, "binding", &bigquery.IamBindingArgs{
			Project:   pulumi.Any(test.Project),
			DatasetId: pulumi.Any(test.DatasetId),
			TableId:   pulumi.Any(test.TableId),
			Role:      pulumi.String("roles/bigquery.dataOwner"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.BigQuery.IamBinding("binding", new()
    {
        Project = test.Project,
        DatasetId = test.DatasetId,
        TableId = test.TableId,
        Role = "roles/bigquery.dataOwner",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.IamBinding;
import com.pulumi.gcp.bigquery.IamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new IamBinding("binding", IamBindingArgs.builder()
            .project(test.project())
            .datasetId(test.datasetId())
            .tableId(test.tableId())
            .role("roles/bigquery.dataOwner")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:bigquery:IamBinding
    properties:
      project: ${test.project}
      datasetId: ${test.datasetId}
      tableId: ${test.tableId}
      role: roles/bigquery.dataOwner
      members:
        - user:jane@example.com

The role property specifies which BigQuery role to grant (here, roles/bigquery.dataOwner). The members array lists all identities that should have this role. IamBinding authoritatively manages this role: if you remove a member from the list, they lose access. Other roles on the table remain unchanged.

Add a single member to a role incrementally

When you need to grant access to one user without affecting other members of the same role, use IamMember for non-authoritative updates.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.bigquery.IamMember("member", {
    project: test.project,
    datasetId: test.datasetId,
    tableId: test.tableId,
    role: "roles/bigquery.dataOwner",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.bigquery.IamMember("member",
    project=test["project"],
    dataset_id=test["datasetId"],
    table_id=test["tableId"],
    role="roles/bigquery.dataOwner",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := bigquery.NewIamMember(ctx, "member", &bigquery.IamMemberArgs{
			Project:   pulumi.Any(test.Project),
			DatasetId: pulumi.Any(test.DatasetId),
			TableId:   pulumi.Any(test.TableId),
			Role:      pulumi.String("roles/bigquery.dataOwner"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.BigQuery.IamMember("member", new()
    {
        Project = test.Project,
        DatasetId = test.DatasetId,
        TableId = test.TableId,
        Role = "roles/bigquery.dataOwner",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.IamMember;
import com.pulumi.gcp.bigquery.IamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new IamMember("member", IamMemberArgs.builder()
            .project(test.project())
            .datasetId(test.datasetId())
            .tableId(test.tableId())
            .role("roles/bigquery.dataOwner")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:bigquery:IamMember
    properties:
      project: ${test.project}
      datasetId: ${test.datasetId}
      tableId: ${test.tableId}
      role: roles/bigquery.dataOwner
      member: user:jane@example.com

The member property (singular) specifies one identity to add. Unlike IamBinding, IamMember preserves existing members of the role. This lets you grant access incrementally without knowing or managing the complete member list. Use IamMember when multiple teams manage access to the same table, or when you want to add access without replacing existing grants.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control solutions.

The examples reference pre-existing infrastructure such as BigQuery datasets and tables, and a GCP project with appropriate permissions. They focus on configuring IAM bindings rather than provisioning the underlying BigQuery resources.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Full policy replacement (IamPolicy resource)
Custom role definitions
Federated identity configuration

These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the BigQuery IamBinding resource reference for all available configuration options.

Let's manage GCP BigQuery IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Compatibility

What's the difference between IamPolicy, IamBinding, and IamMember?

gcp.bigquery.IamPolicy is authoritative and replaces the entire IAM policy. gcp.bigquery.IamBinding is authoritative for a specific role, preserving other roles. gcp.bigquery.IamMember is non-authoritative, adding a single member to a role while preserving other members.

Can I use IamPolicy with IamBinding or IamMember?

No, gcp.bigquery.IamPolicy cannot be used with gcp.bigquery.IamBinding or gcp.bigquery.IamMember because they’ll conflict over the policy configuration.

When can I use IamBinding and IamMember together?

You can use gcp.bigquery.IamBinding and gcp.bigquery.IamMember together only if they don’t grant privileges to the same role.

Configuration & Identity Formats

How do I specify a custom role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.

What member identity formats are supported?

The members property supports multiple formats:

Special identifiers: allUsers, allAuthenticatedUsers
User accounts: user:{emailid} (e.g., user:alice@gmail.com)
Service accounts: serviceAccount:{emailid}
Groups: group:{emailid}
Domains: domain:{domain} (e.g., domain:example.com)
Project roles: projectOwner:projectid, projectEditor:projectid, projectViewer:projectid
Federated identities: Workload/workforce identity pools (see Principal identifiers documentation)

Can I use multiple IamBinding resources for the same table?

Yes, but only one gcp.bigquery.IamBinding per role. Each binding manages a different role on the same table.

Immutability & Lifecycle

What properties can't I change after creating an IamBinding?

The following properties are immutable: datasetId, project, role, tableId, and condition. Changing any of these requires recreating the resource.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides