The gcp:dataproc/clusterIAMMember:ClusterIAMMember resource, part of the Pulumi GCP provider, manages IAM permissions on Dataproc clusters by adding individual members to roles without affecting other bindings. This guide focuses on three capabilities: single-member grants (ClusterIAMMember), role-level member management (ClusterIAMBinding), and full policy replacement (ClusterIAMPolicy).
These resources reference existing Dataproc clusters and use the provider’s default project and region unless specified. The examples are intentionally small. Combine them with your own cluster references and identity management strategy.
Grant a single user access to a cluster
Most teams start by granting individual users or service accounts access to specific clusters without affecting other IAM bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMMember("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMMember("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMMember(ctx, "editor", &dataproc.ClusterIAMMemberArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMMember("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMMember;
import com.pulumi.gcp.dataproc.ClusterIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMMember("editor", ClusterIAMMemberArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMMember
properties:
cluster: your-dataproc-cluster
role: roles/editor
member: user:jane@example.com
ClusterIAMMember adds one member to a role non-authoritatively. The cluster property identifies the target cluster, role specifies the IAM role (like “roles/editor”), and member identifies who receives access using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. Other members with the same role remain unchanged.
Manage all members for a single role
When you need to control the complete list of who has a specific role, ClusterIAMBinding replaces all members for that role while preserving other roles.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMBinding("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMBinding("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMBinding(ctx, "editor", &dataproc.ClusterIAMBindingArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMBinding("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMBinding;
import com.pulumi.gcp.dataproc.ClusterIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMBinding("editor", ClusterIAMBindingArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMBinding
properties:
cluster: your-dataproc-cluster
role: roles/editor
members:
- user:jane@example.com
ClusterIAMBinding is authoritative for one role. The members property takes an array of identities; anyone not in this list loses the specified role. This approach works well when you manage role membership as a group rather than adding members individually. You can use ClusterIAMBinding and ClusterIAMMember together as long as they target different roles.
Replace the entire IAM policy for a cluster
Some deployments require complete control over all IAM bindings, replacing any existing policy with a new authoritative definition.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/editor",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.dataproc.ClusterIAMPolicy("editor", {
project: "your-project",
region: "your-region",
cluster: "your-dataproc-cluster",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/editor",
"members": ["user:jane@example.com"],
}])
editor = gcp.dataproc.ClusterIAMPolicy("editor",
project="your-project",
region="your-region",
cluster="your-dataproc-cluster",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/editor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataproc.NewClusterIAMPolicy(ctx, "editor", &dataproc.ClusterIAMPolicyArgs{
Project: pulumi.String("your-project"),
Region: pulumi.String("your-region"),
Cluster: pulumi.String("your-dataproc-cluster"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.Dataproc.ClusterIAMPolicy("editor", new()
{
Project = "your-project",
Region = "your-region",
Cluster = "your-dataproc-cluster",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataproc.ClusterIAMPolicy;
import com.pulumi.gcp.dataproc.ClusterIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/editor")
.members("user:jane@example.com")
.build())
.build());
var editor = new ClusterIAMPolicy("editor", ClusterIAMPolicyArgs.builder()
.project("your-project")
.region("your-region")
.cluster("your-dataproc-cluster")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMPolicy
properties:
project: your-project
region: your-region
cluster: your-dataproc-cluster
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/editor
members:
- user:jane@example.com
ClusterIAMPolicy replaces the entire IAM policy. The policyData property comes from getIAMPolicy, which constructs a policy document from bindings. This resource cannot coexist with ClusterIAMBinding or ClusterIAMMember; they will conflict over policy ownership. Use this only when you need full policy control and understand the risk of accidentally removing existing permissions.
Beyond these examples
These snippets focus on specific IAM management approaches: single-member grants (ClusterIAMMember), role-level member management (ClusterIAMBinding), and full policy replacement (ClusterIAMPolicy). They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as Dataproc clusters and GCP projects and regions. They focus on IAM binding configuration rather than cluster provisioning.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Project and region specification (uses provider defaults)
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataproc ClusterIAMMember resource reference for all available configuration options.
Let's manage GCP Dataproc Cluster IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
ClusterIAMPolicy cannot be used with ClusterIAMBinding or ClusterIAMMember as they will conflict. However, ClusterIAMBinding and ClusterIAMMember can be used together if they manage different roles.ClusterIAMPolicy is authoritative and replaces the entire IAM policy. ClusterIAMBinding is authoritative for a specific role, preserving other roles. ClusterIAMMember is non-authoritative and adds a single member to a role without affecting other members.ClusterIAMPolicy replaces the entire IAM policy. Ensure all necessary bindings, including ownership, are included when using this resource.Configuration & Formats
[projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/my-custom-role).allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, and domain:{domain}.cluster, member, project, region, and role. Changes require resource replacement.member to serviceAccount:{emailid} format (e.g., serviceAccount:my-app@appspot.gserviceaccount.com).