The gcp:dataplex/entryTypeIamPolicy:EntryTypeIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Dataplex entry types. The Pulumi GCP provider offers three related resources for IAM management, each with different update semantics. This guide focuses on three approaches: authoritative policy replacement, role-level member management, and incremental member addition.
These resources reference existing Dataplex entry types and require project and location configuration. The examples are intentionally small. Combine them with your own entry type definitions and organizational IAM structure.
Replace the entire IAM policy for an entry type
When you need complete control over access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.dataplex.EntryTypeIamPolicy("policy", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.dataplex.EntryTypeIamPolicy("policy",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataplex.NewEntryTypeIamPolicy(ctx, "policy", &dataplex.EntryTypeIamPolicyArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataPlex.EntryTypeIamPolicy("policy", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataplex.EntryTypeIamPolicy;
import com.pulumi.gcp.dataplex.EntryTypeIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new EntryTypeIamPolicy("policy", EntryTypeIamPolicyArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:dataplex:EntryTypeIamPolicy
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The EntryTypeIamPolicy resource is authoritative: it replaces the complete IAM policy for the entry type. The policyData comes from the getIAMPolicy data source, which defines bindings (role-to-members mappings). This approach gives you full control but removes any bindings not explicitly listed.
Grant a role to multiple members at once
Teams often grant the same role to several users without affecting other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.EntryTypeIamBinding("binding", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.EntryTypeIamBinding("binding",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewEntryTypeIamBinding(ctx, "binding", &dataplex.EntryTypeIamBindingArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.EntryTypeIamBinding("binding", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.EntryTypeIamBinding;
import com.pulumi.gcp.dataplex.EntryTypeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new EntryTypeIamBinding("binding", EntryTypeIamBindingArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:EntryTypeIamBinding
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
role: roles/viewer
members:
- user:jane@example.com
The EntryTypeIamBinding resource is authoritative for a single role: it sets the complete member list for that role while preserving other roles. The members array can include users, service accounts, and groups. This resource cannot be used with EntryTypeIamPolicy (they conflict), but it can coexist with EntryTypeIamMember for different roles.
Add a single member to a role incrementally
When you want to grant access to one user without disturbing existing permissions, add individual members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.EntryTypeIamMember("member", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.EntryTypeIamMember("member",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewEntryTypeIamMember(ctx, "member", &dataplex.EntryTypeIamMemberArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.EntryTypeIamMember("member", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.EntryTypeIamMember;
import com.pulumi.gcp.dataplex.EntryTypeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new EntryTypeIamMember("member", EntryTypeIamMemberArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:EntryTypeIamMember
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
role: roles/viewer
member: user:jane@example.com
The EntryTypeIamMember resource is non-authoritative: it adds one member to a role without affecting other members. Use member (singular) instead of members (array). This resource can coexist with EntryTypeIamBinding as long as they don’t grant the same role.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative updates and policy-level, role-level, and member-level control. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Dataplex entry types (by entryTypeId) and GCP project and location configuration. They focus on IAM policy management rather than provisioning the underlying entry types.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Custom role definitions
- Service account creation and management
- Audit logging configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataplex EntryType IAM Policy resource reference for all available configuration options.
Let's manage GCP Dataplex Entry Type IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
Which IAM resources can I use together?
EntryTypeIamPolicy cannot be used with EntryTypeIamBinding or EntryTypeIamMember as they’ll conflict over the policy. However, EntryTypeIamBinding and EntryTypeIamMember can be used together if they manage different roles.Why am I getting conflicts between my IAM resources?
You’re likely mixing
EntryTypeIamPolicy (which replaces the entire policy) with EntryTypeIamBinding or EntryTypeIamMember. Use Policy alone, or use Binding/Member without Policy.Choosing the Right IAM Resource
What's the difference between the three IAM resources?
EntryTypeIamPolicy is authoritative and replaces the entire policy. EntryTypeIamBinding is authoritative per role and preserves other roles. EntryTypeIamMember is non-authoritative and preserves other members for the same role.Which IAM resource should I use?
Use
EntryTypeIamPolicy to manage the complete policy, EntryTypeIamBinding to manage all members for a specific role, or EntryTypeIamMember to add individual members without affecting others.Configuration & Usage
How do I grant a role to a single user?
Use
EntryTypeIamMember with role and member properties (e.g., member: "user:jane@example.com").How do I grant a role to multiple users at once?
Use
EntryTypeIamBinding with role and a members array (e.g., members: ["user:jane@example.com", "user:john@example.com"]).What properties can't be changed after creation?
entryTypeId, location, and project are all immutable and require resource replacement if changed.