Manage GCP BigQuery IAM Bindings

The gcp:bigquery/iamBinding:IamBinding resource, part of the Pulumi GCP provider, grants a specific IAM role to a list of members on a BigQuery table, with authoritative control over that role’s membership. This guide focuses on two capabilities: authoritative role grants to multiple members and incremental member additions.

IamBinding is one of three IAM resources for BigQuery tables. IamBinding provides authoritative control over a single role (replacing all members for that role), while IamMember adds individual members non-authoritatively. IamPolicy replaces the entire policy and cannot be used alongside IamBinding or IamMember. The examples are intentionally small. Combine them with your own table references and identity management.

Grant a role to multiple members at once

Teams managing table access often need to grant the same role to multiple users, service accounts, or groups simultaneously.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.bigquery.IamBinding("binding", {
    project: test.project,
    datasetId: test.datasetId,
    tableId: test.tableId,
    role: "roles/bigquery.dataOwner",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.bigquery.IamBinding("binding",
    project=test["project"],
    dataset_id=test["datasetId"],
    table_id=test["tableId"],
    role="roles/bigquery.dataOwner",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := bigquery.NewIamBinding(ctx, "binding", &bigquery.IamBindingArgs{
			Project:   pulumi.Any(test.Project),
			DatasetId: pulumi.Any(test.DatasetId),
			TableId:   pulumi.Any(test.TableId),
			Role:      pulumi.String("roles/bigquery.dataOwner"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.BigQuery.IamBinding("binding", new()
    {
        Project = test.Project,
        DatasetId = test.DatasetId,
        TableId = test.TableId,
        Role = "roles/bigquery.dataOwner",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.IamBinding;
import com.pulumi.gcp.bigquery.IamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new IamBinding("binding", IamBindingArgs.builder()
            .project(test.project())
            .datasetId(test.datasetId())
            .tableId(test.tableId())
            .role("roles/bigquery.dataOwner")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:bigquery:IamBinding
    properties:
      project: ${test.project}
      datasetId: ${test.datasetId}
      tableId: ${test.tableId}
      role: roles/bigquery.dataOwner
      members:
        - user:jane@example.com

The role property specifies which BigQuery role to grant (e.g., roles/bigquery.dataOwner). The members array lists all identities that should have this role; IamBinding replaces any existing members for this role. The datasetId and tableId properties identify the target table.

Add a single member to a role incrementally

When you need to grant access to one user without affecting other members of the same role, use IamMember for non-authoritative updates.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.bigquery.IamMember("member", {
    project: test.project,
    datasetId: test.datasetId,
    tableId: test.tableId,
    role: "roles/bigquery.dataOwner",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.bigquery.IamMember("member",
    project=test["project"],
    dataset_id=test["datasetId"],
    table_id=test["tableId"],
    role="roles/bigquery.dataOwner",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigquery"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := bigquery.NewIamMember(ctx, "member", &bigquery.IamMemberArgs{
			Project:   pulumi.Any(test.Project),
			DatasetId: pulumi.Any(test.DatasetId),
			TableId:   pulumi.Any(test.TableId),
			Role:      pulumi.String("roles/bigquery.dataOwner"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.BigQuery.IamMember("member", new()
    {
        Project = test.Project,
        DatasetId = test.DatasetId,
        TableId = test.TableId,
        Role = "roles/bigquery.dataOwner",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.IamMember;
import com.pulumi.gcp.bigquery.IamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new IamMember("member", IamMemberArgs.builder()
            .project(test.project())
            .datasetId(test.datasetId())
            .tableId(test.tableId())
            .role("roles/bigquery.dataOwner")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:bigquery:IamMember
    properties:
      project: ${test.project}
      datasetId: ${test.datasetId}
      tableId: ${test.tableId}
      role: roles/bigquery.dataOwner
      member: user:jane@example.com

The member property (singular) specifies one identity to add. Unlike IamBinding, IamMember preserves existing members for the role. You can use multiple IamMember resources for the same role, or combine IamMember with IamBinding as long as they target different roles.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative grants. They’re intentionally minimal rather than full access control policies.

The examples reference pre-existing infrastructure such as BigQuery tables (via datasetId and tableId) and a GCP project with BigQuery API enabled. They focus on configuring access rather than provisioning tables.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Custom role definitions
Policy-level management (IamPolicy resource)
Federated identity and workload identity pool configuration

These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the BigQuery IamBinding resource reference for all available configuration options.

Let's manage GCP BigQuery IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between IamPolicy, IamBinding, and IamMember?

gcp.bigquery.IamPolicy is authoritative and replaces the entire IAM policy. gcp.bigquery.IamBinding is authoritative for a specific role, preserving other roles. gcp.bigquery.IamMember is non-authoritative and adds a single member to a role without affecting other members.

Can I use IamPolicy with IamBinding or IamMember?

No, gcp.bigquery.IamPolicy cannot be used with gcp.bigquery.IamBinding or gcp.bigquery.IamMember because they will conflict over the policy state.

Can I use IamBinding and IamMember together?

Yes, but only if they don’t grant privileges to the same role. Using both for the same role causes conflicts.

Should I use IamBinding or IamMember to grant access?

Use gcp.bigquery.IamBinding to grant a role to multiple members (with the members array). Use gcp.bigquery.IamMember to grant a role to a single member without affecting other members.

Member & Role Configuration

What member formats can I use in the members array?

You can use allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, or federated identities like principal://iam.googleapis.com/....

How do I specify a custom role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.

Immutability & Updates

What properties can't I change after creating an IamBinding?

The datasetId, tableId, project, role, and condition properties are all immutable and require resource replacement if changed.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides