The gcp:dataplex/entryTypeIamMember:EntryTypeIamMember resource, part of the Pulumi GCP provider, grants IAM roles to individual members on Dataplex EntryType resources without affecting other members with the same role. This guide focuses on one capability: non-authoritative single-member role grants.
This resource is one of three IAM management options for EntryTypes. EntryTypeIamPolicy replaces the entire policy (authoritative), EntryTypeIamBinding manages all members for a specific role (authoritative for that role), and EntryTypeIamMember adds individual members (non-authoritative). The EntryTypeIamMember approach preserves existing access when you add new members. The examples reference an existing EntryType. Combine them with your own EntryType resources and member identities.
Grant a role to a single member
Most IAM configurations start by granting a specific role to one user or service account, preserving other members who already have the same role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.EntryTypeIamMember("member", {
project: testEntryTypeBasic.project,
location: testEntryTypeBasic.location,
entryTypeId: testEntryTypeBasic.entryTypeId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.EntryTypeIamMember("member",
project=test_entry_type_basic["project"],
location=test_entry_type_basic["location"],
entry_type_id=test_entry_type_basic["entryTypeId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewEntryTypeIamMember(ctx, "member", &dataplex.EntryTypeIamMemberArgs{
Project: pulumi.Any(testEntryTypeBasic.Project),
Location: pulumi.Any(testEntryTypeBasic.Location),
EntryTypeId: pulumi.Any(testEntryTypeBasic.EntryTypeId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.EntryTypeIamMember("member", new()
{
Project = testEntryTypeBasic.Project,
Location = testEntryTypeBasic.Location,
EntryTypeId = testEntryTypeBasic.EntryTypeId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.EntryTypeIamMember;
import com.pulumi.gcp.dataplex.EntryTypeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new EntryTypeIamMember("member", EntryTypeIamMemberArgs.builder()
.project(testEntryTypeBasic.project())
.location(testEntryTypeBasic.location())
.entryTypeId(testEntryTypeBasic.entryTypeId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:EntryTypeIamMember
properties:
project: ${testEntryTypeBasic.project}
location: ${testEntryTypeBasic.location}
entryTypeId: ${testEntryTypeBasic.entryTypeId}
role: roles/viewer
member: user:jane@example.com
The member property specifies who receives access using formats like “user:jane@example.com” for Google accounts, “serviceAccount:app@project.iam.gserviceaccount.com” for service accounts, or “group:team@example.com” for groups. The role property defines the permission level (predefined roles like “roles/viewer” or custom roles in the format “projects/my-project/roles/custom-role”). The entryTypeId, location, and project properties identify which EntryType resource to grant access to. This non-authoritative approach means other members with the same role remain unchanged.
Beyond these examples
This snippet focuses on single-member role grants. It’s intentionally minimal rather than a complete IAM configuration.
The example references pre-existing infrastructure such as Dataplex EntryType resources and GCP project and location configuration. It focuses on granting access to one member rather than managing complete policies.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Multiple members per role (use EntryTypeIamBinding)
- Complete policy replacement (use EntryTypeIamPolicy)
- Service account and group identities
These omissions are intentional: the goal is to illustrate how single-member grants are wired, not provide drop-in IAM modules. See the EntryTypeIamMember resource reference for all available configuration options.
Let's manage GCP Dataplex EntryType IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
EntryTypeIamPolicy is fully authoritative and replaces the entire IAM policy. EntryTypeIamBinding is authoritative for a specific role but preserves other roles. EntryTypeIamMember is non-authoritative and preserves other members for the same role.EntryTypeIamPolicy cannot be used with EntryTypeIamBinding or EntryTypeIamMember as they’ll conflict. However, EntryTypeIamBinding and EntryTypeIamMember can be used together only if they don’t grant the same role.Configuration & Identity Formats
You can use:
- Special identifiers:
allUsers,allAuthenticatedUsers - User accounts:
user:{emailid}(e.g.,user:alice@gmail.com) - Service accounts:
serviceAccount:{emailid} - Groups:
group:{emailid} - Domains:
domain:{domain}(G Suite primary domain) - Project roles:
projectOwner:projectid,projectEditor:projectid,projectViewer:projectid - Federated identities:
principal://iam.googleapis.com/...(see Principal identifiers documentation)
[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.