The gcp:datacatalog/taxonomyIamMember:TaxonomyIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Data Catalog taxonomies by adding individual members to roles without affecting other permissions. This guide focuses on three approaches: adding individual members non-authoritatively, setting complete member lists per role, and replacing entire IAM policies.
These three resources reference existing taxonomies and have strict compatibility rules. TaxonomyIamPolicy conflicts with both TaxonomyIamBinding and TaxonomyIamMember because it replaces the entire policy. TaxonomyIamBinding and TaxonomyIamMember can coexist only when managing different roles. The examples are intentionally small. Combine them with your own taxonomy infrastructure and identity management.
Grant a single user access to a taxonomy
Most IAM configurations add individual users or service accounts to specific roles without disrupting existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.datacatalog.TaxonomyIamMember("member", {
taxonomy: basicTaxonomy.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.datacatalog.TaxonomyIamMember("member",
taxonomy=basic_taxonomy["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datacatalog.NewTaxonomyIamMember(ctx, "member", &datacatalog.TaxonomyIamMemberArgs{
Taxonomy: pulumi.Any(basicTaxonomy.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataCatalog.TaxonomyIamMember("member", new()
{
Taxonomy = basicTaxonomy.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.datacatalog.TaxonomyIamMember;
import com.pulumi.gcp.datacatalog.TaxonomyIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new TaxonomyIamMember("member", TaxonomyIamMemberArgs.builder()
.taxonomy(basicTaxonomy.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:datacatalog:TaxonomyIamMember
properties:
taxonomy: ${basicTaxonomy.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies one identity in the format “user:email”, “serviceAccount:email”, “group:email”, or other supported formats. The role property sets the permission level. TaxonomyIamMember is non-authoritative: it adds this member without removing others already assigned to the role.
Define all members for a role authoritatively
When you need to control the complete list of members for a specific role, TaxonomyIamBinding replaces all members for that role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.datacatalog.TaxonomyIamBinding("binding", {
taxonomy: basicTaxonomy.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.datacatalog.TaxonomyIamBinding("binding",
taxonomy=basic_taxonomy["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datacatalog.NewTaxonomyIamBinding(ctx, "binding", &datacatalog.TaxonomyIamBindingArgs{
Taxonomy: pulumi.Any(basicTaxonomy.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataCatalog.TaxonomyIamBinding("binding", new()
{
Taxonomy = basicTaxonomy.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.datacatalog.TaxonomyIamBinding;
import com.pulumi.gcp.datacatalog.TaxonomyIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TaxonomyIamBinding("binding", TaxonomyIamBindingArgs.builder()
.taxonomy(basicTaxonomy.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:datacatalog:TaxonomyIamBinding
properties:
taxonomy: ${basicTaxonomy.name}
role: roles/viewer
members:
- user:jane@example.com
The members property takes an array of identities. TaxonomyIamBinding is authoritative for the specified role: it sets exactly these members and removes any others. Other roles on the taxonomy remain unchanged. Use this when you want to declare “these are the only members for this role.”
Replace the entire IAM policy for a taxonomy
Organizations managing IAM centrally sometimes need to set the complete policy document, replacing all existing configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.datacatalog.TaxonomyIamPolicy("policy", {
taxonomy: basicTaxonomy.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.datacatalog.TaxonomyIamPolicy("policy",
taxonomy=basic_taxonomy["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = datacatalog.NewTaxonomyIamPolicy(ctx, "policy", &datacatalog.TaxonomyIamPolicyArgs{
Taxonomy: pulumi.Any(basicTaxonomy.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataCatalog.TaxonomyIamPolicy("policy", new()
{
Taxonomy = basicTaxonomy.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.datacatalog.TaxonomyIamPolicy;
import com.pulumi.gcp.datacatalog.TaxonomyIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new TaxonomyIamPolicy("policy", TaxonomyIamPolicyArgs.builder()
.taxonomy(basicTaxonomy.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:datacatalog:TaxonomyIamPolicy
properties:
taxonomy: ${basicTaxonomy.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts a complete IAM policy document, typically constructed using the getIAMPolicy data source. TaxonomyIamPolicy is fully authoritative: it replaces the entire IAM policy for the taxonomy, removing any roles or members not specified. This approach provides the most control but requires careful coordination to avoid accidentally removing permissions.
Beyond these examples
These snippets focus on specific IAM management approaches: incremental member addition, authoritative role management, and complete policy replacement. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Data Catalog taxonomies and GCP project and region configuration. They focus on IAM binding configuration rather than provisioning taxonomies or identity sources.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Federated identity and workload identity pool configuration
- Cross-project and cross-region taxonomy references
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the TaxonomyIamMember resource reference for all available configuration options.
Let's manage GCP Data Catalog Taxonomy IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
TaxonomyIamPolicy is authoritative and replaces the entire IAM policy. TaxonomyIamBinding is authoritative for a specific role but preserves other roles. TaxonomyIamMember is non-authoritative and preserves other members for the same role.TaxonomyIamPolicy cannot be used with TaxonomyIamBinding or TaxonomyIamMember because they will conflict over the policy state.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, and federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Resource Properties
member, role, taxonomy, project, region, and condition.