The gcp:dataplex/entryTypeIamMember:EntryTypeIamMember resource, part of the Pulumi GCP provider, manages IAM access to Dataplex EntryType resources by granting roles to individual members without affecting other role assignments. This guide focuses on three capabilities: single-member role grants, multi-member role bindings, and authoritative policy replacement.
Dataplex provides three IAM resources for EntryTypes: EntryTypeIamMember (non-authoritative, adds one member), EntryTypeIamBinding (authoritative for a role, manages all members), and EntryTypeIamPolicy (authoritative for all roles, replaces entire policy). These resources cannot be mixed for the same EntryType without conflicts. The examples are intentionally small. Combine them with your own EntryType resources and access requirements.
Grant a role to a single member
Most access grants start by adding one user or service account to a role, preserving existing assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.EntryTypeIamMember("member", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.EntryTypeIamMember("member",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewEntryTypeIamMember(ctx, "member", &dataplex.EntryTypeIamMemberArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.EntryTypeIamMember("member", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.EntryTypeIamMember;
import com.pulumi.gcp.dataplex.EntryTypeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new EntryTypeIamMember("member", EntryTypeIamMemberArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:EntryTypeIamMember
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
role: roles/viewer
member: user:jane@example.com
The member property specifies who receives access using IAM identity formats (user:, serviceAccount:, group:, domain:). The role property defines the permission level. This resource is non-authoritative: it adds the member without removing others who already have the role.
Grant a role to multiple members at once
When several identities need the same role, binding them together ensures they’re managed as a group.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.EntryTypeIamBinding("binding", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.EntryTypeIamBinding("binding",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewEntryTypeIamBinding(ctx, "binding", &dataplex.EntryTypeIamBindingArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.EntryTypeIamBinding("binding", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.EntryTypeIamBinding;
import com.pulumi.gcp.dataplex.EntryTypeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new EntryTypeIamBinding("binding", EntryTypeIamBindingArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:EntryTypeIamBinding
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
role: roles/viewer
members:
- user:jane@example.com
The members property accepts a list of IAM identities. This resource is authoritative for the specified role: it replaces all members for that role. Other roles on the EntryType remain unchanged.
Replace the entire IAM policy
Organizations managing policies externally can replace all role bindings in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.dataplex.EntryTypeIamPolicy("policy", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.dataplex.EntryTypeIamPolicy("policy",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataplex.NewEntryTypeIamPolicy(ctx, "policy", &dataplex.EntryTypeIamPolicyArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataPlex.EntryTypeIamPolicy("policy", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataplex.EntryTypeIamPolicy;
import com.pulumi.gcp.dataplex.EntryTypeIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new EntryTypeIamPolicy("policy", EntryTypeIamPolicyArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:dataplex:EntryTypeIamPolicy
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts a complete IAM policy document from getIAMPolicy. This resource is fully authoritative: it replaces all roles and members on the EntryType. The bindings array in the policy defines all role assignments.
Beyond these examples
These snippets focus on specific IAM management approaches: incremental member grants, role binding management, and authoritative policy replacement. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as Dataplex EntryType resources (testEntryTypeBasic) and a GCP project with Dataplex enabled. They focus on IAM configuration rather than EntryType provisioning.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Policy retrieval via data sources
- Mixed use of Policy, Binding, and Member resources
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the EntryTypeIamMember resource reference for all available configuration options.
Let's manage GCP Dataplex EntryType IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
Why are my EntryType IAM resources conflicting?
EntryTypeIamPolicy cannot be used with EntryTypeIamBinding or EntryTypeIamMember because they manage policies differently and will conflict. Choose either the authoritative EntryTypeIamPolicy or the incremental EntryTypeIamBinding/EntryTypeIamMember approach.Can I use EntryTypeIamBinding and EntryTypeIamMember together?
Yes, but only if they don’t grant privileges to the same role. Each role must be managed by only one resource type to avoid conflicts.
Resource Selection
What's the difference between EntryTypeIamPolicy, EntryTypeIamBinding, and EntryTypeIamMember?
Three management approaches with different scopes:
- EntryTypeIamPolicy: Authoritative for entire policy (replaces all existing bindings)
- EntryTypeIamBinding: Authoritative per role (manages all members for one role, preserves other roles)
- EntryTypeIamMember: Non-authoritative (adds individual members without affecting others)
Which IAM resource should I use to add a single user without affecting existing permissions?
Use
EntryTypeIamMember, which is non-authoritative and preserves existing members for the role.IAM Configuration
What member identity formats are supported?
Supported formats include:
- allUsers / allAuthenticatedUsers: Public or authenticated access
- user:{email}: Specific Google account (e.g.,
user:jane@example.com) - serviceAccount:{email}: Service account
- group:{email}: Google group
- domain:{domain}: All users in a G Suite domain
- projectOwner/Editor/Viewer:{projectid}: Project-level roles
- Federated identities: Workload/workforce identity pools (see Principal identifiers documentation)
How do I specify custom IAM roles?
Custom roles must use the format
[projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/my-custom-role).What properties are immutable after creation?
All core properties are immutable:
entryTypeId, location, member, role, project, and condition. Changes require resource replacement.Common Tasks
How do I grant a role to multiple users?
Use
EntryTypeIamBinding with a members array containing all identities (e.g., ["user:jane@example.com", "user:john@example.com"]) for the specified role.