The gcp:dataplex/lakeIamPolicy:LakeIamPolicy resource, part of the Pulumi GCP provider, manages IAM permissions for Dataplex Lakes using authoritative policy replacement. This guide focuses on three approaches: authoritative policy replacement (LakeIamPolicy), role-level member lists (LakeIamBinding), and incremental member grants (LakeIamMember).
These three resources serve different use cases and have different conflict behaviors. LakeIamPolicy replaces the entire policy and cannot coexist with LakeIamBinding or LakeIamMember. LakeIamBinding and LakeIamMember can work together if they manage different roles. All three reference an existing Dataplex Lake by project, location, and name. The examples are intentionally small. Combine them with your own lake infrastructure and role definitions.
Replace the entire IAM policy for a lake
When you need complete control over lake access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.dataplex.LakeIamPolicy("policy", {
project: example.project,
location: example.location,
lake: example.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.dataplex.LakeIamPolicy("policy",
project=example["project"],
location=example["location"],
lake=example["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataplex.NewLakeIamPolicy(ctx, "policy", &dataplex.LakeIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataPlex.LakeIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataplex.LakeIamPolicy;
import com.pulumi.gcp.dataplex.LakeIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new LakeIamPolicy("policy", LakeIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:dataplex:LakeIamPolicy
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts output from the getIAMPolicy data source, which defines bindings between roles and members. This resource is authoritative: it replaces any existing IAM policy on the lake. Use this when you want to manage all permissions in one place, but avoid combining it with LakeIamBinding or LakeIamMember resources on the same lake.
Grant a role to multiple members at once
Teams often need to grant the same role to several users or service accounts without affecting other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.LakeIamBinding("binding", {
project: example.project,
location: example.location,
lake: example.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.LakeIamBinding("binding",
project=example["project"],
location=example["location"],
lake=example["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewLakeIamBinding(ctx, "binding", &dataplex.LakeIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.LakeIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.LakeIamBinding;
import com.pulumi.gcp.dataplex.LakeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new LakeIamBinding("binding", LakeIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:LakeIamBinding
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.name}
role: roles/viewer
members:
- user:jane@example.com
The members property lists all identities that should have the specified role. This resource is authoritative for the given role: it replaces all members for that role but preserves other roles on the lake. You can use multiple LakeIamBinding resources on the same lake as long as they manage different roles.
Add a single member to a role incrementally
When you need to grant access to one user without disturbing existing permissions, non-authoritative member grants preserve other assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.LakeIamMember("member", {
project: example.project,
location: example.location,
lake: example.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.LakeIamMember("member",
project=example["project"],
location=example["location"],
lake=example["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewLakeIamMember(ctx, "member", &dataplex.LakeIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.LakeIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.LakeIamMember;
import com.pulumi.gcp.dataplex.LakeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new LakeIamMember("member", LakeIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:LakeIamMember
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies a single identity to grant the role. Unlike LakeIamBinding, this resource is non-authoritative: it adds the member without affecting other members who already have the same role. Use this when you want to grant access incrementally or when multiple teams manage permissions independently.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative IAM management, and policy, binding, and member-level grants. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Dataplex Lakes (project, location, name). They focus on IAM permission assignment rather than provisioning the lake itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Custom roles and organization-level roles
- Multiple role assignments in a single resource
- IAM policy retrieval (data source usage)
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataplex LakeIamPolicy resource reference for all available configuration options.
Let's manage IAM Policies for GCP Dataplex Lakes
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
LakeIamPolicy is authoritative and replaces the entire IAM policy. LakeIamBinding is authoritative for a specific role, preserving other roles. LakeIamMember is non-authoritative, adding a single member while preserving other members for that role.LakeIamPolicy cannot be used with LakeIamBinding or LakeIamMember because they’ll conflict over the policy configuration.Configuration & Setup
gcp.organizations.getIAMPolicy data source with your desired bindings, then pass its policyData output to the LakeIamPolicy resource.Import & Custom Roles
[projects/my-project|organizations/my-org]/roles/my-custom-role.