The gcp:datacatalog/policyTagIamMember:PolicyTagIamMember resource, part of the Pulumi GCP provider, manages IAM access to Data Catalog policy tags by granting roles to individual members, groups of members, or replacing entire policies. This guide focuses on three capabilities: non-authoritative single-member grants, authoritative role-level member lists, and complete policy replacement.
These resources reference existing policy tags and have strict compatibility rules. PolicyTagIamPolicy cannot be used alongside PolicyTagIamBinding or PolicyTagIamMember, as they will conflict over policy state. PolicyTagIamBinding and PolicyTagIamMember can coexist only if they manage different roles. The examples are intentionally small. Choose the resource that matches your authorization model.
Grant a role to a single member non-authoritatively
When you need to add one person or service account without affecting other members, PolicyTagIamMember is the safest choice for incremental access grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.datacatalog.PolicyTagIamMember("member", {
policyTag: basicPolicyTag.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.datacatalog.PolicyTagIamMember("member",
policy_tag=basic_policy_tag["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datacatalog.NewPolicyTagIamMember(ctx, "member", &datacatalog.PolicyTagIamMemberArgs{
PolicyTag: pulumi.Any(basicPolicyTag.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataCatalog.PolicyTagIamMember("member", new()
{
PolicyTag = basicPolicyTag.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.datacatalog.PolicyTagIamMember;
import com.pulumi.gcp.datacatalog.PolicyTagIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new PolicyTagIamMember("member", PolicyTagIamMemberArgs.builder()
.policyTag(basicPolicyTag.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:datacatalog:PolicyTagIamMember
properties:
policyTag: ${basicPolicyTag.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies a single identity using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property defines what permissions that member receives. This resource adds the member without removing others who already have the same role, making it safe for shared environments where multiple teams manage access.
Grant a role to multiple members authoritatively
When you need to define the complete list of members for a specific role, PolicyTagIamBinding replaces all existing members for that role while preserving other roles.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.datacatalog.PolicyTagIamBinding("binding", {
policyTag: basicPolicyTag.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.datacatalog.PolicyTagIamBinding("binding",
policy_tag=basic_policy_tag["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := datacatalog.NewPolicyTagIamBinding(ctx, "binding", &datacatalog.PolicyTagIamBindingArgs{
PolicyTag: pulumi.Any(basicPolicyTag.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataCatalog.PolicyTagIamBinding("binding", new()
{
PolicyTag = basicPolicyTag.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.datacatalog.PolicyTagIamBinding;
import com.pulumi.gcp.datacatalog.PolicyTagIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new PolicyTagIamBinding("binding", PolicyTagIamBindingArgs.builder()
.policyTag(basicPolicyTag.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:datacatalog:PolicyTagIamBinding
properties:
policyTag: ${basicPolicyTag.name}
role: roles/viewer
members:
- user:jane@example.com
The members property takes an array of identities. This resource is authoritative for the specified role: it replaces any existing members for that role but leaves other roles untouched. Use this when you want to centrally manage who has a specific role without worrying about incremental additions from other sources.
Replace the entire IAM policy authoritatively
When you need complete control over all roles and members, PolicyTagIamPolicy replaces the entire IAM policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.datacatalog.PolicyTagIamPolicy("policy", {
policyTag: basicPolicyTag.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.datacatalog.PolicyTagIamPolicy("policy",
policy_tag=basic_policy_tag["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = datacatalog.NewPolicyTagIamPolicy(ctx, "policy", &datacatalog.PolicyTagIamPolicyArgs{
PolicyTag: pulumi.Any(basicPolicyTag.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataCatalog.PolicyTagIamPolicy("policy", new()
{
PolicyTag = basicPolicyTag.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.datacatalog.PolicyTagIamPolicy;
import com.pulumi.gcp.datacatalog.PolicyTagIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new PolicyTagIamPolicy("policy", PolicyTagIamPolicyArgs.builder()
.policyTag(basicPolicyTag.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:datacatalog:PolicyTagIamPolicy
properties:
policyTag: ${basicPolicyTag.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property comes from the getIAMPolicy data source, which defines bindings (role-to-members mappings) in a structured format. This resource is the most authoritative: it removes any roles or members not defined in your configuration. Use this for greenfield deployments or when you need guaranteed policy state, but avoid mixing it with PolicyTagIamBinding or PolicyTagIamMember on the same policy tag.
Beyond these examples
These snippets focus on specific IAM management approaches: incremental vs authoritative IAM management, single-member and multi-member role grants, and complete policy replacement. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Data Catalog policy tags (referenced by name). They focus on configuring IAM bindings rather than creating the underlying policy tags.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions (projects//roles/ format)
- Federated identity principals
- Domain-wide and project-scoped member types
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the PolicyTagIamMember resource reference for all available configuration options.
Let's manage GCP Data Catalog Policy Tag IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
PolicyTagIamPolicy cannot be used with PolicyTagIamBinding or PolicyTagIamMember because they will conflict over the policy. However, PolicyTagIamBinding and PolicyTagIamMember can be used together if they don’t grant the same role.PolicyTagIamPolicy is authoritative and replaces the entire IAM policy. PolicyTagIamBinding is authoritative for a specific role, replacing all members for that role while preserving other roles. PolicyTagIamMember is non-authoritative and adds a single member to a role without affecting other members.Configuration & Identity Formats
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, or federated identities like principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com.[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Immutability & Lifecycle
member, role, policyTag) are immutable and cannot be changed after the resource is created. The condition property is also immutable.