Manage GCP Dataproc Cluster IAM Permissions

The gcp:dataproc/clusterIAMBinding:ClusterIAMBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Dataproc clusters, controlling which identities can access cluster resources. This guide focuses on two capabilities: authoritative role binding with ClusterIAMBinding and non-authoritative member addition with ClusterIAMMember.

These resources reference existing Dataproc clusters and use the provider’s default project and region unless specified. The examples are intentionally small. Combine them with your own cluster infrastructure and identity management strategy.

Grant a role to multiple members with ClusterIAMBinding

Teams managing cluster access often need to grant a specific role to multiple users or service accounts at once.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const editor = new gcp.dataproc.ClusterIAMBinding("editor", {
    cluster: "your-dataproc-cluster",
    role: "roles/editor",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

editor = gcp.dataproc.ClusterIAMBinding("editor",
    cluster="your-dataproc-cluster",
    role="roles/editor",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dataproc.NewClusterIAMBinding(ctx, "editor", &dataproc.ClusterIAMBindingArgs{
			Cluster: pulumi.String("your-dataproc-cluster"),
			Role:    pulumi.String("roles/editor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var editor = new Gcp.Dataproc.ClusterIAMBinding("editor", new()
    {
        Cluster = "your-dataproc-cluster",
        Role = "roles/editor",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMBinding;
import com.pulumi.gcp.dataproc.ClusterIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var editor = new ClusterIAMBinding("editor", ClusterIAMBindingArgs.builder()
            .cluster("your-dataproc-cluster")
            .role("roles/editor")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  editor:
    type: gcp:dataproc:ClusterIAMBinding
    properties:
      cluster: your-dataproc-cluster
      role: roles/editor
      members:
        - user:jane@example.com

ClusterIAMBinding is authoritative for the specified role: it replaces all existing members for that role with the members list you provide. The cluster property identifies the target cluster, role specifies the IAM role to grant, and members lists the identities receiving access. Each member follows GCP’s identity format (user:email, serviceAccount:email, group:email, or special identifiers like allUsers).

Add a single member to a role with ClusterIAMMember

When you need to grant access to one additional user without affecting other members of the role, ClusterIAMMember adds a single identity non-authoritatively.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const editor = new gcp.dataproc.ClusterIAMMember("editor", {
    cluster: "your-dataproc-cluster",
    role: "roles/editor",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

editor = gcp.dataproc.ClusterIAMMember("editor",
    cluster="your-dataproc-cluster",
    role="roles/editor",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dataproc.NewClusterIAMMember(ctx, "editor", &dataproc.ClusterIAMMemberArgs{
			Cluster: pulumi.String("your-dataproc-cluster"),
			Role:    pulumi.String("roles/editor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var editor = new Gcp.Dataproc.ClusterIAMMember("editor", new()
    {
        Cluster = "your-dataproc-cluster",
        Role = "roles/editor",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMMember;
import com.pulumi.gcp.dataproc.ClusterIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var editor = new ClusterIAMMember("editor", ClusterIAMMemberArgs.builder()
            .cluster("your-dataproc-cluster")
            .role("roles/editor")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  editor:
    type: gcp:dataproc:ClusterIAMMember
    properties:
      cluster: your-dataproc-cluster
      role: roles/editor
      member: user:jane@example.com

Unlike ClusterIAMBinding, ClusterIAMMember is non-authoritative: it adds one member to a role without replacing existing members. Use member (singular) instead of members (plural) to specify a single identity. This approach works well when multiple teams manage access independently, as each ClusterIAMMember resource can add members without conflicting with others (as long as they target different roles or different members of the same role).

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control policies.

The examples reference pre-existing infrastructure such as Dataproc clusters and GCP project and region configuration. They focus on configuring access rather than provisioning clusters.

To keep things focused, common IAM patterns are omitted, including:

  • Full policy replacement (ClusterIAMPolicy)
  • Conditional IAM bindings (condition property)
  • Project and region specification (project, region properties)
  • Custom role formatting ([projects|organizations]/{parent}/roles/{name})

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the Dataproc ClusterIAMBinding resource reference for all available configuration options.

Let's manage GCP Dataproc Cluster IAM Permissions

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
Which IAM resource should I use for my Dataproc cluster?

Choose based on your management style:

  • ClusterIAMPolicy: Authoritative control of the entire IAM policy (replaces all existing permissions)
  • ClusterIAMBinding: Authoritative control of a specific role (preserves other roles)
  • ClusterIAMMember: Non-authoritative addition of individual members (preserves other members for the role)
Which IAM resources can I use together?
ClusterIAMPolicy cannot be used with ClusterIAMBinding or ClusterIAMMember as they’ll conflict over policy management. However, ClusterIAMBinding and ClusterIAMMember can be used together if they manage different roles.
What happens if I use ClusterIAMPolicy?
ClusterIAMPolicy replaces the entire IAM policy for the cluster. Be careful not to accidentally remove cluster ownership or other critical permissions when using this authoritative resource.
Configuration & Identity Management
What member identity formats are supported?

The members property accepts:

  • allUsers: Anyone on the internet
  • allAuthenticatedUsers: Anyone with a Google account
  • user:{email}: Specific Google account (e.g., alice@gmail.com)
  • serviceAccount:{email}: Service account (e.g., my-app@appspot.gserviceaccount.com)
  • group:{email}: Google group (e.g., admins@example.com)
  • domain:{domain}: G Suite domain (e.g., example.com)
What's the format for custom roles?
Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.
Can I use multiple ClusterIAMBinding resources for the same role?
No, only one ClusterIAMBinding can be used per role. If you need to add members to a role managed by ClusterIAMBinding, use ClusterIAMMember instead.
Immutability & Limitations
Can I change the cluster, project, region, or role after creation?
No, the cluster, project, region, role, and condition properties are all immutable. Changing any of these requires recreating the resource.

Using a different cloud?

Explore iam guides for other cloud providers:

AWS Guides Azure Guides