Manage GCP Data Catalog Taxonomy IAM Bindings

The gcp:datacatalog/taxonomyIamBinding:TaxonomyIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Data Catalog taxonomies. It grants roles to lists of members authoritatively, meaning it controls the complete member list for a given role. This guide focuses on two capabilities: granting roles to multiple members and adding individual members non-authoritatively.

IAM bindings reference existing taxonomies and assume the provider is configured with project and region defaults. The examples are intentionally small. Combine them with your own taxonomy resources and access control requirements.

Grant a role to multiple members

Teams managing taxonomies often need to grant the same role to multiple users or service accounts at once, ensuring consistent access across a team.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.datacatalog.TaxonomyIamBinding("binding", {
    taxonomy: basicTaxonomy.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.datacatalog.TaxonomyIamBinding("binding",
    taxonomy=basic_taxonomy["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := datacatalog.NewTaxonomyIamBinding(ctx, "binding", &datacatalog.TaxonomyIamBindingArgs{
			Taxonomy: pulumi.Any(basicTaxonomy.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.DataCatalog.TaxonomyIamBinding("binding", new()
    {
        Taxonomy = basicTaxonomy.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.datacatalog.TaxonomyIamBinding;
import com.pulumi.gcp.datacatalog.TaxonomyIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new TaxonomyIamBinding("binding", TaxonomyIamBindingArgs.builder()
            .taxonomy(basicTaxonomy.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:datacatalog:TaxonomyIamBinding
    properties:
      taxonomy: ${basicTaxonomy.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The members property lists all identities that receive the specified role. TaxonomyIamBinding is authoritative for this role: it replaces any existing member list. The taxonomy property references the taxonomy resource, and role specifies the IAM role to grant (e.g., roles/viewer for read access).

Add a single member to a role

When onboarding individual users or granting access to specific service accounts, TaxonomyIamMember adds one member without affecting others already assigned to the role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.datacatalog.TaxonomyIamMember("member", {
    taxonomy: basicTaxonomy.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.datacatalog.TaxonomyIamMember("member",
    taxonomy=basic_taxonomy["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/datacatalog"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := datacatalog.NewTaxonomyIamMember(ctx, "member", &datacatalog.TaxonomyIamMemberArgs{
			Taxonomy: pulumi.Any(basicTaxonomy.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.DataCatalog.TaxonomyIamMember("member", new()
    {
        Taxonomy = basicTaxonomy.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.datacatalog.TaxonomyIamMember;
import com.pulumi.gcp.datacatalog.TaxonomyIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new TaxonomyIamMember("member", TaxonomyIamMemberArgs.builder()
            .taxonomy(basicTaxonomy.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:datacatalog:TaxonomyIamMember
    properties:
      taxonomy: ${basicTaxonomy.name}
      role: roles/viewer
      member: user:jane@example.com

The member property specifies a single identity to add. Unlike TaxonomyIamBinding, TaxonomyIamMember is non-authoritative: it adds this member to the role without removing existing members. Use TaxonomyIamMember when you need incremental access grants; use TaxonomyIamBinding when you want to define the complete member list for a role.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Data Catalog taxonomies. They focus on configuring IAM bindings rather than provisioning taxonomies or managing complete policies.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Project and region specification (defaults to provider config)
Policy-level management (TaxonomyIamPolicy resource)
Custom role formatting ([projects|organizations]/{parent}/roles/{name})

These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the TaxonomyIamBinding resource reference for all available configuration options.

Let's manage GCP Data Catalog Taxonomy IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between TaxonomyIamPolicy, TaxonomyIamBinding, and TaxonomyIamMember?

TaxonomyIamPolicy is authoritative and replaces the entire IAM policy. TaxonomyIamBinding is authoritative for a specific role, managing all members for that role while preserving other roles. TaxonomyIamMember is non-authoritative, adding a single member to a role without affecting other members.

Which IAM resources can I use together?

TaxonomyIamPolicy cannot be used with TaxonomyIamBinding or TaxonomyIamMember as they will conflict. However, TaxonomyIamBinding and TaxonomyIamMember can be used together only if they don’t grant privileges to the same role.

When should I use TaxonomyIamBinding vs TaxonomyIamMember?

Use TaxonomyIamBinding to manage all members for a role at once (authoritative for that role). Use TaxonomyIamMember to add individual members without affecting existing members (non-authoritative).

IAM Configuration

What member identity formats are supported?

Supported formats include allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities like principal://iam.googleapis.com/....

How do I specify a custom role?

Custom roles must use the full path format: projects/{parent-name}/roles/{role-name} or organizations/{parent-name}/roles/{role-name}. Don’t use just the role name.

Can I grant a role to multiple members at once?

Yes, use TaxonomyIamBinding with the members array to grant a role to multiple identities simultaneously.

Resource Properties & Immutability

What properties are immutable after creation?

The role, taxonomy, project, region, and condition properties are all immutable and cannot be changed after the resource is created.

Do I need to specify project and region explicitly?

Not necessarily. Both project and region can be parsed from the parent taxonomy identifier or taken from the provider configuration if not explicitly specified.

Using a different cloud?

Explore iam guides for other cloud providers:

AWS Guides Azure Guides