The gcp:dataproc/clusterIAMMember:ClusterIAMMember resource, part of the Pulumi GCP provider, grants IAM permissions to Dataproc clusters by adding individual members to roles without replacing existing permissions. This guide focuses on three capabilities: single-member role grants, multi-member role bindings, and authoritative policy replacement.
GCP provides three related resources for managing cluster IAM: ClusterIAMMember (non-authoritative, adds one member), ClusterIAMBinding (authoritative for a role, manages all members for that role), and ClusterIAMPolicy (authoritative for the entire policy, replaces all permissions). ClusterIAMPolicy cannot be used with the other two resources, as they will conflict. ClusterIAMBinding and ClusterIAMMember can coexist if they manage different roles. The examples are intentionally small. Combine them with your own cluster infrastructure and identity management.
Grant a single user access to a cluster
Most teams start by granting individual users or service accounts access to specific clusters without affecting other permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMMember("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMMember("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMMember(ctx, "editor", &dataproc.ClusterIAMMemberArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMMember("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMMember;
import com.pulumi.gcp.dataproc.ClusterIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMMember("editor", ClusterIAMMemberArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMMember
properties:
cluster: your-dataproc-cluster
role: roles/editor
member: user:jane@example.com
The member property specifies who receives access using GCP’s identity format (user:, serviceAccount:, group:, or domain:). The role property defines what permissions they get. ClusterIAMMember is non-authoritative: it adds this one member without removing others who already have the same role.
Grant a role to multiple members at once
When multiple users or service accounts need the same access level, binding them together simplifies management.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMBinding("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMBinding("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMBinding(ctx, "editor", &dataproc.ClusterIAMBindingArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMBinding("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMBinding;
import com.pulumi.gcp.dataproc.ClusterIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMBinding("editor", ClusterIAMBindingArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMBinding
properties:
cluster: your-dataproc-cluster
role: roles/editor
members:
- user:jane@example.com
ClusterIAMBinding uses members (plural) to assign a role to multiple identities in one operation. Unlike ClusterIAMMember, this resource is authoritative for the specified role: it replaces all members for that role with the list you provide. Other roles on the cluster remain unchanged.
Replace the entire IAM policy with a new definition
Some workflows require complete control over a cluster’s permissions, replacing all existing bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/editor",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.dataproc.ClusterIAMPolicy("editor", {
project: "your-project",
region: "your-region",
cluster: "your-dataproc-cluster",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/editor",
"members": ["user:jane@example.com"],
}])
editor = gcp.dataproc.ClusterIAMPolicy("editor",
project="your-project",
region="your-region",
cluster="your-dataproc-cluster",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/editor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataproc.NewClusterIAMPolicy(ctx, "editor", &dataproc.ClusterIAMPolicyArgs{
Project: pulumi.String("your-project"),
Region: pulumi.String("your-region"),
Cluster: pulumi.String("your-dataproc-cluster"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.Dataproc.ClusterIAMPolicy("editor", new()
{
Project = "your-project",
Region = "your-region",
Cluster = "your-dataproc-cluster",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataproc.ClusterIAMPolicy;
import com.pulumi.gcp.dataproc.ClusterIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/editor")
.members("user:jane@example.com")
.build())
.build());
var editor = new ClusterIAMPolicy("editor", ClusterIAMPolicyArgs.builder()
.project("your-project")
.region("your-region")
.cluster("your-dataproc-cluster")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMPolicy
properties:
project: your-project
region: your-region
cluster: your-dataproc-cluster
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/editor
members:
- user:jane@example.com
ClusterIAMPolicy sets the complete IAM policy using policyData from getIAMPolicy. This resource is fully authoritative: it replaces every role binding on the cluster. The project and region properties explicitly scope the cluster reference. Use this carefully, as it can remove existing permissions including ownership.
Beyond these examples
These snippets focus on specific IAM management patterns: single-member and multi-member role grants, and authoritative policy replacement. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Dataproc clusters, and GCP project and region configuration. They focus on granting permissions rather than provisioning clusters or managing identities.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formats
- Service account and group member types
- Cross-project or cross-region cluster references
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataproc ClusterIAMMember resource reference for all available configuration options.
Let's manage GCP Dataproc Cluster IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
ClusterIAMPolicy is authoritative and replaces the entire IAM policy. ClusterIAMBinding is authoritative for a specific role, preserving other roles. ClusterIAMMember is non-authoritative, adding one member to a role while preserving other members.ClusterIAMPolicy cannot be used with ClusterIAMBinding or ClusterIAMMember, as they will conflict. ClusterIAMBinding and ClusterIAMMember can be used together only if they don’t grant privilege to the same role.ClusterIAMPolicy replaces the entire IAM policy, which can accidentally unset cluster ownership. Ensure all necessary bindings, including ownership, are included in your policy.Configuration & Formats
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, and domain:{domain} (e.g., user:jane@example.com or group:admins@example.com).[projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/customRole).Immutability & Updates
cluster, member, project, region, and role. Changing any of these requires recreating the resource.