Manage GCP Dataplex Datascan IAM Bindings

The gcp:dataplex/datascanIamBinding:DatascanIamBinding resource, part of the Pulumi GCP provider, manages IAM access control for Dataplex Datascan resources by granting roles to members. This guide focuses on three capabilities: authoritative role binding (managing all members for one role), incremental member addition (non-authoritative), and complete policy replacement.

IAM resources for Datascans come in three types that serve different use cases but cannot be freely mixed. DatascanIamPolicy replaces the entire policy and conflicts with the other two types. DatascanIamBinding and DatascanIamMember can coexist only if they manage different roles. The examples are intentionally small. Combine them with your own datascan resources and identity management strategy.

Grant a role to multiple members at once

When you need to grant the same role to multiple users, service accounts, or groups, DatascanIamBinding manages all members for that role as a single unit.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.dataplex.DatascanIamBinding("binding", {
    project: basicProfile.project,
    location: basicProfile.location,
    dataScanId: basicProfile.dataScanId,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.dataplex.DatascanIamBinding("binding",
    project=basic_profile["project"],
    location=basic_profile["location"],
    data_scan_id=basic_profile["dataScanId"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dataplex.NewDatascanIamBinding(ctx, "binding", &dataplex.DatascanIamBindingArgs{
			Project:    pulumi.Any(basicProfile.Project),
			Location:   pulumi.Any(basicProfile.Location),
			DataScanId: pulumi.Any(basicProfile.DataScanId),
			Role:       pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.DataPlex.DatascanIamBinding("binding", new()
    {
        Project = basicProfile.Project,
        Location = basicProfile.Location,
        DataScanId = basicProfile.DataScanId,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.DatascanIamBinding;
import com.pulumi.gcp.dataplex.DatascanIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new DatascanIamBinding("binding", DatascanIamBindingArgs.builder()
            .project(basicProfile.project())
            .location(basicProfile.location())
            .dataScanId(basicProfile.dataScanId())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:dataplex:DatascanIamBinding
    properties:
      project: ${basicProfile.project}
      location: ${basicProfile.location}
      dataScanId: ${basicProfile.dataScanId}
      role: roles/viewer
      members:
        - user:jane@example.com

The role property specifies which permission set to grant (e.g., “roles/viewer”). The members array lists all identities that receive this role. DatascanIamBinding is authoritative for its role: it replaces any existing members for that role but preserves other roles in the policy. The dataScanId, location, and project properties identify which datascan to configure.

Add a single member to a role incrementally

As access needs evolve, you can add individual members to roles without affecting existing grants.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.dataplex.DatascanIamMember("member", {
    project: basicProfile.project,
    location: basicProfile.location,
    dataScanId: basicProfile.dataScanId,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.dataplex.DatascanIamMember("member",
    project=basic_profile["project"],
    location=basic_profile["location"],
    data_scan_id=basic_profile["dataScanId"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dataplex.NewDatascanIamMember(ctx, "member", &dataplex.DatascanIamMemberArgs{
			Project:    pulumi.Any(basicProfile.Project),
			Location:   pulumi.Any(basicProfile.Location),
			DataScanId: pulumi.Any(basicProfile.DataScanId),
			Role:       pulumi.String("roles/viewer"),
			Member:     pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.DataPlex.DatascanIamMember("member", new()
    {
        Project = basicProfile.Project,
        Location = basicProfile.Location,
        DataScanId = basicProfile.DataScanId,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.DatascanIamMember;
import com.pulumi.gcp.dataplex.DatascanIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new DatascanIamMember("member", DatascanIamMemberArgs.builder()
            .project(basicProfile.project())
            .location(basicProfile.location())
            .dataScanId(basicProfile.dataScanId())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:dataplex:DatascanIamMember
    properties:
      project: ${basicProfile.project}
      location: ${basicProfile.location}
      dataScanId: ${basicProfile.dataScanId}
      role: roles/viewer
      member: user:jane@example.com

The member property specifies one identity to add (note the singular form, unlike members in DatascanIamBinding). This resource is non-authoritative: it adds the specified member to the role without removing others. You can create multiple DatascanIamMember resources for the same role, and they’ll coexist peacefully. This approach works well when different teams or modules need to grant access independently.

Replace the entire IAM policy with a new definition

Organizations with strict access control sometimes need to define the complete IAM policy from scratch.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.dataplex.DatascanIamPolicy("policy", {
    project: basicProfile.project,
    location: basicProfile.location,
    dataScanId: basicProfile.dataScanId,
    policyData: admin.then(admin => admin.policyData),
});

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.dataplex.DatascanIamPolicy("policy",
    project=basic_profile["project"],
    location=basic_profile["location"],
    data_scan_id=basic_profile["dataScanId"],
    policy_data=admin.policy_data)

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = dataplex.NewDatascanIamPolicy(ctx, "policy", &dataplex.DatascanIamPolicyArgs{
			Project:    pulumi.Any(basicProfile.Project),
			Location:   pulumi.Any(basicProfile.Location),
			DataScanId: pulumi.Any(basicProfile.DataScanId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
    {
        Bindings = new[]
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
            {
                Role = "roles/viewer",
                Members = new[]
                {
                    "user:jane@example.com",
                },
            },
        },
    });

    var policy = new Gcp.DataPlex.DatascanIamPolicy("policy", new()
    {
        Project = basicProfile.Project,
        Location = basicProfile.Location,
        DataScanId = basicProfile.DataScanId,
        PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataplex.DatascanIamPolicy;
import com.pulumi.gcp.dataplex.DatascanIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
            .bindings(GetIAMPolicyBindingArgs.builder()
                .role("roles/viewer")
                .members("user:jane@example.com")
                .build())
            .build());

        var policy = new DatascanIamPolicy("policy", DatascanIamPolicyArgs.builder()
            .project(basicProfile.project())
            .location(basicProfile.location())
            .dataScanId(basicProfile.dataScanId())
            .policyData(admin.policyData())
            .build());

    }
}

resources:
  policy:
    type: gcp:dataplex:DatascanIamPolicy
    properties:
      project: ${basicProfile.project}
      location: ${basicProfile.location}
      dataScanId: ${basicProfile.dataScanId}
      policyData: ${admin.policyData}
variables:
  admin:
    fn::invoke:
      function: gcp:organizations:getIAMPolicy
      arguments:
        bindings:
          - role: roles/viewer
            members:
              - user:jane@example.com

The policyData property accepts a complete IAM policy document, typically retrieved from getIAMPolicy. DatascanIamPolicy is authoritative: it replaces the entire policy, removing any grants not included in policyData. This resource cannot coexist with DatascanIamBinding or DatascanIamMember; they’ll conflict over policy ownership. Use this approach when you need centralized, declarative control over all datascan access.

Beyond these examples

These snippets focus on specific IAM management features: role-based access control (Binding vs Member) and authoritative policy replacement. They’re intentionally minimal rather than full access control systems.

The examples reference pre-existing infrastructure such as Dataplex Datascan resources (referenced by dataScanId) and GCP project and location configuration. They focus on configuring IAM access rather than provisioning the datascan itself.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Custom role definitions and formatting
Federated identity and workload identity pool configuration
Policy conflict resolution between resource types

These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Datascan IAM Binding resource reference for all available configuration options.

Let's manage GCP Dataplex Datascan IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between DatascanIamPolicy, DatascanIamBinding, and DatascanIamMember?

DatascanIamPolicy is authoritative and replaces the entire IAM policy. DatascanIamBinding is authoritative for a specific role, granting it to a list of members while preserving other roles. DatascanIamMember is non-authoritative, adding a single member to a role without affecting other members.

Can I use these IAM resources together?

DatascanIamPolicy cannot be used with DatascanIamBinding or DatascanIamMember as they will conflict over policy state. However, DatascanIamBinding and DatascanIamMember can be used together only if they don’t grant privileges to the same role.

Which resource should I use to add a single user without affecting others?

Use DatascanIamMember to add a single member to a role non-authoritatively. This preserves existing members for that role.

Configuration & Identity Formats

What member identity formats are supported?

The members property supports: allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....

How do I grant a role to multiple users at once?

Use DatascanIamBinding with the members array containing all user identities, such as ["user:jane@example.com", "user:john@example.com"].

How do I format custom roles?

Custom roles must use the full path format: [projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.

Import & Operations

What formats can I use when importing IAM resources?

You can import using: projects/{{project}}/locations/{{location}}/dataScans/{{data_scan_id}}, {{project}}/{{location}}/{{data_scan_id}}, {{location}}/{{data_scan_id}}, or just {{data_scan_id}}. Variables not provided are taken from the provider configuration.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides