The gcp:dataplex/aspectTypeIamBinding:AspectTypeIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Dataplex AspectType resources, controlling which identities can access and modify aspect type definitions. This guide focuses on two capabilities: granting roles to multiple members and adding individual members incrementally.
IAM bindings reference existing AspectType resources and require the Dataplex API enabled in your project. The examples are intentionally small. Combine them with your own AspectType resources and identity management workflows.
Grant a role to multiple members at once
When onboarding teams or configuring cross-project access, you often need to assign the same role to multiple users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.AspectTypeIamBinding("binding", {
project: testAspectTypeBasic.project,
location: testAspectTypeBasic.location,
aspectTypeId: testAspectTypeBasic.aspectTypeId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.AspectTypeIamBinding("binding",
project=test_aspect_type_basic["project"],
location=test_aspect_type_basic["location"],
aspect_type_id=test_aspect_type_basic["aspectTypeId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewAspectTypeIamBinding(ctx, "binding", &dataplex.AspectTypeIamBindingArgs{
Project: pulumi.Any(testAspectTypeBasic.Project),
Location: pulumi.Any(testAspectTypeBasic.Location),
AspectTypeId: pulumi.Any(testAspectTypeBasic.AspectTypeId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.AspectTypeIamBinding("binding", new()
{
Project = testAspectTypeBasic.Project,
Location = testAspectTypeBasic.Location,
AspectTypeId = testAspectTypeBasic.AspectTypeId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.AspectTypeIamBinding;
import com.pulumi.gcp.dataplex.AspectTypeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new AspectTypeIamBinding("binding", AspectTypeIamBindingArgs.builder()
.project(testAspectTypeBasic.project())
.location(testAspectTypeBasic.location())
.aspectTypeId(testAspectTypeBasic.aspectTypeId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:AspectTypeIamBinding
properties:
project: ${testAspectTypeBasic.project}
location: ${testAspectTypeBasic.location}
aspectTypeId: ${testAspectTypeBasic.aspectTypeId}
role: roles/viewer
members:
- user:jane@example.com
The AspectTypeIamBinding resource is authoritative for the specified role, meaning it replaces any existing member list for that role. The members array accepts various identity formats: individual users, service accounts, groups, or special identifiers like allAuthenticatedUsers. The aspectTypeId, location, and project properties identify which AspectType resource receives the binding.
Add a single member to a role incrementally
As access requirements evolve, you can add individual members to roles without affecting existing assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.AspectTypeIamMember("member", {
project: testAspectTypeBasic.project,
location: testAspectTypeBasic.location,
aspectTypeId: testAspectTypeBasic.aspectTypeId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.AspectTypeIamMember("member",
project=test_aspect_type_basic["project"],
location=test_aspect_type_basic["location"],
aspect_type_id=test_aspect_type_basic["aspectTypeId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewAspectTypeIamMember(ctx, "member", &dataplex.AspectTypeIamMemberArgs{
Project: pulumi.Any(testAspectTypeBasic.Project),
Location: pulumi.Any(testAspectTypeBasic.Location),
AspectTypeId: pulumi.Any(testAspectTypeBasic.AspectTypeId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.AspectTypeIamMember("member", new()
{
Project = testAspectTypeBasic.Project,
Location = testAspectTypeBasic.Location,
AspectTypeId = testAspectTypeBasic.AspectTypeId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.AspectTypeIamMember;
import com.pulumi.gcp.dataplex.AspectTypeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new AspectTypeIamMember("member", AspectTypeIamMemberArgs.builder()
.project(testAspectTypeBasic.project())
.location(testAspectTypeBasic.location())
.aspectTypeId(testAspectTypeBasic.aspectTypeId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:AspectTypeIamMember
properties:
project: ${testAspectTypeBasic.project}
location: ${testAspectTypeBasic.location}
aspectTypeId: ${testAspectTypeBasic.aspectTypeId}
role: roles/viewer
member: user:jane@example.com
The AspectTypeIamMember resource is non-authoritative, meaning it adds one member to a role without removing others. This approach works well when different teams manage different members for the same role. The member property accepts a single identity in the same formats as the members array in bindings.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and batch and incremental member assignment. They’re intentionally minimal rather than full access management solutions.
The examples reference pre-existing infrastructure such as Dataplex AspectType resources and a GCP project with Dataplex API enabled. They focus on configuring IAM bindings rather than provisioning the underlying AspectType resources.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (AspectTypeIamPolicy)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how IAM bindings are wired to AspectType resources, not provide drop-in access control modules. See the AspectTypeIamBinding resource reference for all available configuration options.
Let's manage GCP Dataplex AspectType IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
AspectTypeIamPolicy (authoritative) OR AspectTypeIamBinding/AspectTypeIamMember (per-role/per-member), but never both together.AspectTypeIamPolicy is authoritative and replaces the entire IAM policy. AspectTypeIamBinding is authoritative for a specific role, preserving other roles. AspectTypeIamMember is non-authoritative, adding a single member while preserving other members for that role.Configuration & Identity Formats
The members property accepts multiple formats:
allUsersorallAuthenticatedUsersfor public/authenticated accessuser:{email},serviceAccount:{email},group:{email}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner:{projectid},projectEditor:{projectid},projectViewer:{projectid}for project roles- Federated identities using principal identifiers (e.g.,
principal://iam.googleapis.com/...)
[projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/my-custom-role).