The gcp:dataplex/assetIamMember:AssetIamMember resource, part of the Pulumi GCP provider, manages IAM access to Dataplex assets by granting roles to individual members without affecting other members for that role. This guide focuses on three capabilities: single-member role grants, multi-member role bindings, and complete policy replacement.
Dataplex IAM resources reference existing assets within lakes and zones. AssetIamMember adds members non-authoritatively, AssetIamBinding manages all members for a role, and AssetIamPolicy replaces the entire policy. AssetIamPolicy cannot be used with the other two types; they will conflict over policy state. The examples are intentionally small. Combine them with your own Dataplex infrastructure and identity management.
Grant a role to a single member
Most IAM configurations start by granting a specific role to one identity, preserving existing members while adding new access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.AssetIamMember("member", {
project: example.project,
location: example.location,
lake: example.lake,
dataplexZone: example.dataplexZone,
asset: example.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.AssetIamMember("member",
project=example["project"],
location=example["location"],
lake=example["lake"],
dataplex_zone=example["dataplexZone"],
asset=example["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewAssetIamMember(ctx, "member", &dataplex.AssetIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Lake),
DataplexZone: pulumi.Any(example.DataplexZone),
Asset: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.AssetIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Lake,
DataplexZone = example.DataplexZone,
Asset = example.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.AssetIamMember;
import com.pulumi.gcp.dataplex.AssetIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new AssetIamMember("member", AssetIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.lake())
.dataplexZone(example.dataplexZone())
.asset(example.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:AssetIamMember
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.lake}
dataplexZone: ${example.dataplexZone}
asset: ${example.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies the identity receiving access, using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property defines the permission level. The asset, dataplexZone, lake, and location properties identify which Dataplex asset receives the binding. This resource is non-authoritative: it adds one member without removing others who already have the role.
Grant a role to multiple members at once
When multiple identities need the same role, AssetIamBinding manages the complete member list for that role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.AssetIamBinding("binding", {
project: example.project,
location: example.location,
lake: example.lake,
dataplexZone: example.dataplexZone,
asset: example.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.AssetIamBinding("binding",
project=example["project"],
location=example["location"],
lake=example["lake"],
dataplex_zone=example["dataplexZone"],
asset=example["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewAssetIamBinding(ctx, "binding", &dataplex.AssetIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Lake),
DataplexZone: pulumi.Any(example.DataplexZone),
Asset: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.AssetIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Lake,
DataplexZone = example.DataplexZone,
Asset = example.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.AssetIamBinding;
import com.pulumi.gcp.dataplex.AssetIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new AssetIamBinding("binding", AssetIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.lake())
.dataplexZone(example.dataplexZone())
.asset(example.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:AssetIamBinding
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.lake}
dataplexZone: ${example.dataplexZone}
asset: ${example.name}
role: roles/viewer
members:
- user:jane@example.com
The members property lists all identities that should have the role. This resource is authoritative for the specified role: it replaces the member list for that role but preserves other roles on the asset. If you later remove a member from the list, that identity loses access.
Replace the entire IAM policy with a new definition
AssetIamPolicy replaces the entire IAM policy for an asset, removing any existing bindings not included in the new policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.dataplex.AssetIamPolicy("policy", {
project: example.project,
location: example.location,
lake: example.lake,
dataplexZone: example.dataplexZone,
asset: example.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.dataplex.AssetIamPolicy("policy",
project=example["project"],
location=example["location"],
lake=example["lake"],
dataplex_zone=example["dataplexZone"],
asset=example["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataplex.NewAssetIamPolicy(ctx, "policy", &dataplex.AssetIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Lake),
DataplexZone: pulumi.Any(example.DataplexZone),
Asset: pulumi.Any(example.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataPlex.AssetIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Lake,
DataplexZone = example.DataplexZone,
Asset = example.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataplex.AssetIamPolicy;
import com.pulumi.gcp.dataplex.AssetIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new AssetIamPolicy("policy", AssetIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.lake())
.dataplexZone(example.dataplexZone())
.asset(example.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:dataplex:AssetIamPolicy
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.lake}
dataplexZone: ${example.dataplexZone}
asset: ${example.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property comes from getIAMPolicy, which constructs a policy document from bindings. Each binding pairs a role with a list of members. This resource is fully authoritative: it removes any roles and members not explicitly defined. You cannot use AssetIamPolicy alongside AssetIamBinding or AssetIamMember; they will conflict over what the policy should be.
Beyond these examples
These snippets focus on specific IAM management features: single-member grants (AssetIamMember), role-level member lists (AssetIamBinding), and complete policy replacement (AssetIamPolicy). They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Dataplex assets within lakes and zones, and GCP projects with configured locations. They focus on configuring IAM bindings rather than provisioning the Dataplex resources themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Federated identity and workload identity pool configuration
- Policy conflict resolution between resource types
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataplex AssetIamMember resource reference for all available configuration options.
Let's manage GCP Dataplex Asset IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.dataplex.AssetIamPolicy is authoritative and replaces the entire IAM policy. gcp.dataplex.AssetIamBinding is authoritative for a specific role, preserving other roles in the policy. gcp.dataplex.AssetIamMember is non-authoritative, adding a single member to a role while preserving other members.gcp.dataplex.AssetIamPolicy cannot be used with gcp.dataplex.AssetIamBinding or gcp.dataplex.AssetIamMember, as they will conflict over policy management. However, gcp.dataplex.AssetIamBinding and gcp.dataplex.AssetIamMember can be used together only if they don’t grant privileges to the same role.gcp.dataplex.AssetIamPolicy when you need full control over the entire policy. Use gcp.dataplex.AssetIamBinding to manage all members for a specific role. Use gcp.dataplex.AssetIamMember to add individual members to a role without affecting other members.Identity & Role Configuration
member property supports: allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities (e.g., principal://iam.googleapis.com/...).[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Resource Lifecycle
asset, dataplexZone, lake, location, member, project, role, condition) are immutable and require resource replacement if changed.