The gcp:dataplex/aspectTypeIamBinding:AspectTypeIamBinding resource, part of the Pulumi GCP provider, manages IAM access control for Dataplex AspectType resources by binding roles to lists of members. This guide focuses on two capabilities: granting roles to multiple members and adding individual members incrementally.
IAM bindings reference existing AspectType resources and require project and location configuration. The examples are intentionally small. Combine them with your own AspectType resources and identity management strategy.
Grant a role to multiple members at once
Teams managing access often need to grant the same role to multiple users or service accounts simultaneously, such as when onboarding a team or configuring cross-project access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.AspectTypeIamBinding("binding", {
project: testAspectTypeBasic.project,
location: testAspectTypeBasic.location,
aspectTypeId: testAspectTypeBasic.aspectTypeId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.AspectTypeIamBinding("binding",
project=test_aspect_type_basic["project"],
location=test_aspect_type_basic["location"],
aspect_type_id=test_aspect_type_basic["aspectTypeId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewAspectTypeIamBinding(ctx, "binding", &dataplex.AspectTypeIamBindingArgs{
Project: pulumi.Any(testAspectTypeBasic.Project),
Location: pulumi.Any(testAspectTypeBasic.Location),
AspectTypeId: pulumi.Any(testAspectTypeBasic.AspectTypeId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.AspectTypeIamBinding("binding", new()
{
Project = testAspectTypeBasic.Project,
Location = testAspectTypeBasic.Location,
AspectTypeId = testAspectTypeBasic.AspectTypeId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.AspectTypeIamBinding;
import com.pulumi.gcp.dataplex.AspectTypeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new AspectTypeIamBinding("binding", AspectTypeIamBindingArgs.builder()
.project(testAspectTypeBasic.project())
.location(testAspectTypeBasic.location())
.aspectTypeId(testAspectTypeBasic.aspectTypeId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:AspectTypeIamBinding
properties:
project: ${testAspectTypeBasic.project}
location: ${testAspectTypeBasic.location}
aspectTypeId: ${testAspectTypeBasic.aspectTypeId}
role: roles/viewer
members:
- user:jane@example.com
The AspectTypeIamBinding resource grants a role to all members in the list. The members property accepts user accounts, service accounts, groups, and other identity types. The role property specifies which permissions to grant; aspectTypeId, location, and project identify the target AspectType. This binding is authoritative for the specified role, meaning it replaces any existing members for that role.
Add a single member to a role incrementally
When access needs evolve, teams add individual members to existing roles without affecting other members who already have access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.AspectTypeIamMember("member", {
project: testAspectTypeBasic.project,
location: testAspectTypeBasic.location,
aspectTypeId: testAspectTypeBasic.aspectTypeId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.AspectTypeIamMember("member",
project=test_aspect_type_basic["project"],
location=test_aspect_type_basic["location"],
aspect_type_id=test_aspect_type_basic["aspectTypeId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewAspectTypeIamMember(ctx, "member", &dataplex.AspectTypeIamMemberArgs{
Project: pulumi.Any(testAspectTypeBasic.Project),
Location: pulumi.Any(testAspectTypeBasic.Location),
AspectTypeId: pulumi.Any(testAspectTypeBasic.AspectTypeId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.AspectTypeIamMember("member", new()
{
Project = testAspectTypeBasic.Project,
Location = testAspectTypeBasic.Location,
AspectTypeId = testAspectTypeBasic.AspectTypeId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.AspectTypeIamMember;
import com.pulumi.gcp.dataplex.AspectTypeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new AspectTypeIamMember("member", AspectTypeIamMemberArgs.builder()
.project(testAspectTypeBasic.project())
.location(testAspectTypeBasic.location())
.aspectTypeId(testAspectTypeBasic.aspectTypeId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:AspectTypeIamMember
properties:
project: ${testAspectTypeBasic.project}
location: ${testAspectTypeBasic.location}
aspectTypeId: ${testAspectTypeBasic.aspectTypeId}
role: roles/viewer
member: user:jane@example.com
The AspectTypeIamMember resource adds one member to a role without replacing existing members. The member property specifies a single identity, while role, aspectTypeId, location, and project identify the target. This resource is non-authoritative, preserving other members already granted the same role. Use AspectTypeIamMember when you need to add access incrementally; use AspectTypeIamBinding when you want to define the complete member list for a role.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and binding vs member resource patterns. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Dataplex AspectType resources and GCP project and location configuration. They focus on configuring IAM bindings rather than provisioning the underlying AspectType resources.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (AspectTypeIamPolicy)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the AspectTypeIamBinding resource reference for all available configuration options.
Let's manage GCP Dataplex AspectType IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
AspectTypeIamPolicy is authoritative and replaces the entire IAM policy. AspectTypeIamBinding is authoritative for a specific role, preserving other roles. AspectTypeIamMember is non-authoritative, adding a single member while preserving other members for that role.AspectTypeIamPolicy cannot be used with AspectTypeIamBinding or AspectTypeIamMember because they will conflict over the policy configuration.IAM Configuration
[projects|organizations]/{parent-name}/roles/{role-name}.Supported formats include:
allUsersandallAuthenticatedUsersfor public accessuser:{emailid},serviceAccount:{emailid},group:{emailid}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner:projectid,projectEditor:projectid,projectViewer:projectidfor project roles- Federated identities using principal identifiers
AspectTypeIamBinding or AspectTypeIamMember with role: "roles/viewer" and members: ["user:jane@example.com"].Resource Identification
aspectTypeId, location, and project. The location and project can be parsed from the parent resource identifier or taken from the provider configuration if not specified.