Manage GCP Dataplex Lake IAM Permissions

The gcp:dataplex/lakeIamBinding:LakeIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Dataplex lakes. It provides authoritative control over which identities have a specific role while preserving other role assignments. This guide focuses on two capabilities: authoritative role binding with multiple members and non-authoritative single member addition.

IAM bindings reference existing Dataplex lakes and require valid project and location identifiers. The examples are intentionally small. Combine them with your own lake infrastructure and identity management strategy.

Grant a role to multiple members

Teams managing lakes often need to grant the same role to multiple users or service accounts at once.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.dataplex.LakeIamBinding("binding", {
    project: example.project,
    location: example.location,
    lake: example.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.dataplex.LakeIamBinding("binding",
    project=example["project"],
    location=example["location"],
    lake=example["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dataplex.NewLakeIamBinding(ctx, "binding", &dataplex.LakeIamBindingArgs{
			Project:  pulumi.Any(example.Project),
			Location: pulumi.Any(example.Location),
			Lake:     pulumi.Any(example.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.DataPlex.LakeIamBinding("binding", new()
    {
        Project = example.Project,
        Location = example.Location,
        Lake = example.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.LakeIamBinding;
import com.pulumi.gcp.dataplex.LakeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new LakeIamBinding("binding", LakeIamBindingArgs.builder()
            .project(example.project())
            .location(example.location())
            .lake(example.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:dataplex:LakeIamBinding
    properties:
      project: ${example.project}
      location: ${example.location}
      lake: ${example.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The role property specifies which permission set to grant (e.g., “roles/viewer”). The members array lists all identities that should have this role; LakeIamBinding authoritatively controls this list, meaning it replaces any existing members for this role. The lake, location, and project properties identify which Dataplex lake to configure.

Add a single member to a role

When you need to grant access to one additional user without affecting existing members, use LakeIamMember for non-authoritative updates.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.dataplex.LakeIamMember("member", {
    project: example.project,
    location: example.location,
    lake: example.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.dataplex.LakeIamMember("member",
    project=example["project"],
    location=example["location"],
    lake=example["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dataplex.NewLakeIamMember(ctx, "member", &dataplex.LakeIamMemberArgs{
			Project:  pulumi.Any(example.Project),
			Location: pulumi.Any(example.Location),
			Lake:     pulumi.Any(example.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.DataPlex.LakeIamMember("member", new()
    {
        Project = example.Project,
        Location = example.Location,
        Lake = example.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.LakeIamMember;
import com.pulumi.gcp.dataplex.LakeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new LakeIamMember("member", LakeIamMemberArgs.builder()
            .project(example.project())
            .location(example.location())
            .lake(example.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:dataplex:LakeIamMember
    properties:
      project: ${example.project}
      location: ${example.location}
      lake: ${example.name}
      role: roles/viewer
      member: user:jane@example.com

Unlike LakeIamBinding, LakeIamMember adds a single identity to a role without replacing existing members. The member property (singular) specifies one identity to add. This approach works well when multiple teams manage access independently, as each LakeIamMember resource only affects its own identity.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Dataplex lakes. They focus on configuring IAM bindings rather than provisioning the lakes themselves.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Full policy replacement (LakeIamPolicy resource)
Custom role definitions
Federated identity configuration

These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the Dataplex LakeIamBinding resource reference for all available configuration options.

Let's manage GCP Dataplex Lake IAM Permissions

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Compatibility

What's the difference between LakeIamPolicy, LakeIamBinding, and LakeIamMember?

gcp.dataplex.LakeIamPolicy is authoritative and replaces the entire IAM policy. gcp.dataplex.LakeIamBinding is authoritative for a specific role, preserving other roles. gcp.dataplex.LakeIamMember is non-authoritative, adding a single member to a role while preserving other members.

Which IAM resources can I use together?

gcp.dataplex.LakeIamPolicy cannot be used with gcp.dataplex.LakeIamBinding or gcp.dataplex.LakeIamMember, as they will conflict. However, gcp.dataplex.LakeIamBinding and gcp.dataplex.LakeIamMember can be used together if they don’t grant privileges to the same role.

When should I use LakeIamBinding vs LakeIamMember?

Use gcp.dataplex.LakeIamBinding when you want to authoritatively manage all members for a specific role. Use gcp.dataplex.LakeIamMember when you want to add individual members without affecting other members of the same role.

Configuration & Member Types

What member identity types can I grant access to?

You can grant access to allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities (e.g., principal://iam.googleapis.com/...).

How do I specify a custom role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.

Using a different cloud?

Explore iam guides for other cloud providers:

AWS Guides Azure Guides