The gcp:dataplex/taskIamMember:TaskIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Dataplex tasks by adding individual members to roles without affecting other permissions. This guide focuses on three approaches: adding single members to roles (TaskIamMember), managing all members for a role (TaskIamBinding), and replacing entire IAM policies (TaskIamPolicy).
These resources reference existing Dataplex tasks and require valid IAM principals. The examples are intentionally small. Combine them with your own task infrastructure and identity management.
Grant a single user access to a task
Most IAM configurations start by granting individual users or service accounts access to specific resources without disrupting existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataplex.TaskIamMember("member", {
project: example.project,
location: example.location,
lake: example.lake,
taskId: example.taskId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataplex.TaskIamMember("member",
project=example["project"],
location=example["location"],
lake=example["lake"],
task_id=example["taskId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewTaskIamMember(ctx, "member", &dataplex.TaskIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Lake),
TaskId: pulumi.Any(example.TaskId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.DataPlex.TaskIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Lake,
TaskId = example.TaskId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.TaskIamMember;
import com.pulumi.gcp.dataplex.TaskIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new TaskIamMember("member", TaskIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.lake())
.taskId(example.taskId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataplex:TaskIamMember
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.lake}
taskId: ${example.taskId}
role: roles/viewer
member: user:jane@example.com
The member property specifies one identity (user, service account, or group) to add to the role. The role property defines what permissions that identity receives. TaskIamMember is non-authoritative: it adds this one member without removing others who already have the same role or different roles on the task. The taskId, lake, location, and project properties identify which Dataplex task receives the permission.
Grant a role to multiple members at once
When multiple users or service accounts need the same level of access, TaskIamBinding manages all members for a single role as a group.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataplex.TaskIamBinding("binding", {
project: example.project,
location: example.location,
lake: example.lake,
taskId: example.taskId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataplex.TaskIamBinding("binding",
project=example["project"],
location=example["location"],
lake=example["lake"],
task_id=example["taskId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataplex.NewTaskIamBinding(ctx, "binding", &dataplex.TaskIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Lake),
TaskId: pulumi.Any(example.TaskId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.DataPlex.TaskIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Lake,
TaskId = example.TaskId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataplex.TaskIamBinding;
import com.pulumi.gcp.dataplex.TaskIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TaskIamBinding("binding", TaskIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.lake())
.taskId(example.taskId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataplex:TaskIamBinding
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.lake}
taskId: ${example.taskId}
role: roles/viewer
members:
- user:jane@example.com
The members property lists all identities that should have this role. TaskIamBinding is authoritative for the specified role: it sets the complete member list, removing any members not in the array. Other roles on the task remain unchanged. You can use TaskIamBinding alongside TaskIamMember as long as they don’t both manage the same role.
Replace the entire IAM policy for a task
Organizations that manage IAM policies centrally often need to set the complete policy in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.dataplex.TaskIamPolicy("policy", {
project: example.project,
location: example.location,
lake: example.lake,
taskId: example.taskId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.dataplex.TaskIamPolicy("policy",
project=example["project"],
location=example["location"],
lake=example["lake"],
task_id=example["taskId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataplex"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataplex.NewTaskIamPolicy(ctx, "policy", &dataplex.TaskIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
Lake: pulumi.Any(example.Lake),
TaskId: pulumi.Any(example.TaskId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.DataPlex.TaskIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
Lake = example.Lake,
TaskId = example.TaskId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataplex.TaskIamPolicy;
import com.pulumi.gcp.dataplex.TaskIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new TaskIamPolicy("policy", TaskIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.lake(example.lake())
.taskId(example.taskId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:dataplex:TaskIamPolicy
properties:
project: ${example.project}
location: ${example.location}
lake: ${example.lake}
taskId: ${example.taskId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property contains the complete IAM policy, typically retrieved from getIAMPolicy or constructed inline. TaskIamPolicy is fully authoritative: it replaces the entire policy, removing any roles or members not included in policyData. This resource conflicts with both TaskIamMember and TaskIamBinding; using them together causes Pulumi to fight over the policy state.
Beyond these examples
These snippets focus on specific IAM management approaches: incremental member addition (TaskIamMember), role-level member management (TaskIamBinding), and complete policy replacement (TaskIamPolicy). They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Dataplex tasks (identified by taskId, lake, location, project) and IAM principals (users, service accounts, groups). They focus on configuring permissions rather than provisioning the tasks themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Federated identity configuration
- Policy conflict resolution between resource types
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataplex TaskIamMember resource reference for all available configuration options.
Let's manage GCP Dataplex Task IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
TaskIamPolicy is authoritative and replaces the entire IAM policy. TaskIamBinding is authoritative for a specific role, managing all members for that role. TaskIamMember is non-authoritative, adding individual members without affecting other members for the same role.TaskIamPolicy cannot be used with TaskIamBinding or TaskIamMember because they will conflict over the policy.Identity & Role Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, or federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.