The gcp:dataproc/clusterIAMPolicy:ClusterIAMPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Dataproc clusters at three levels: complete policy replacement (ClusterIAMPolicy), role-level member lists (ClusterIAMBinding), or individual member grants (ClusterIAMMember). This guide focuses on three capabilities: authoritative policy replacement, role-level member management, and non-authoritative member grants.
All three resources reference existing Dataproc clusters and require project/region context. The examples are intentionally small. Combine them with your own cluster infrastructure and organizational IAM policies.
Replace the entire IAM policy with a complete definition
When you need full control over all IAM bindings, ClusterIAMPolicy replaces the entire policy in one operation. This is useful for standardizing access across clusters or enforcing organization-wide policies.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/editor",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.dataproc.ClusterIAMPolicy("editor", {
project: "your-project",
region: "your-region",
cluster: "your-dataproc-cluster",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/editor",
"members": ["user:jane@example.com"],
}])
editor = gcp.dataproc.ClusterIAMPolicy("editor",
project="your-project",
region="your-region",
cluster="your-dataproc-cluster",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/editor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataproc.NewClusterIAMPolicy(ctx, "editor", &dataproc.ClusterIAMPolicyArgs{
Project: pulumi.String("your-project"),
Region: pulumi.String("your-region"),
Cluster: pulumi.String("your-dataproc-cluster"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.Dataproc.ClusterIAMPolicy("editor", new()
{
Project = "your-project",
Region = "your-region",
Cluster = "your-dataproc-cluster",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataproc.ClusterIAMPolicy;
import com.pulumi.gcp.dataproc.ClusterIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/editor")
.members("user:jane@example.com")
.build())
.build());
var editor = new ClusterIAMPolicy("editor", ClusterIAMPolicyArgs.builder()
.project("your-project")
.region("your-region")
.cluster("your-dataproc-cluster")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMPolicy
properties:
project: your-project
region: your-region
cluster: your-dataproc-cluster
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/editor
members:
- user:jane@example.com
The policyData property accepts output from getIAMPolicy, which defines all role bindings in a single structure. When applied, this replaces the cluster’s entire IAM policy. The project, region, and cluster properties identify which cluster to update. ClusterIAMPolicy cannot be used alongside ClusterIAMBinding or ClusterIAMMember because they would conflict over policy ownership.
Grant a role to multiple members authoritatively
When you need to control exactly who has a specific role without affecting other roles, ClusterIAMBinding manages all members for that role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMBinding("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMBinding("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMBinding(ctx, "editor", &dataproc.ClusterIAMBindingArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMBinding("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMBinding;
import com.pulumi.gcp.dataproc.ClusterIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMBinding("editor", ClusterIAMBindingArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMBinding
properties:
cluster: your-dataproc-cluster
role: roles/editor
members:
- user:jane@example.com
The role property specifies which role to manage, and members lists all principals who should have that role. ClusterIAMBinding is authoritative for its role: it sets the complete member list, but preserves other roles in the policy. You can use multiple ClusterIAMBinding resources for different roles, or combine them with ClusterIAMMember resources as long as they don’t target the same role.
Add a single member to a role non-authoritatively
When multiple teams manage access to the same cluster, ClusterIAMMember adds individual members without affecting other members for the same role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMMember("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMMember("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMMember(ctx, "editor", &dataproc.ClusterIAMMemberArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMMember("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMMember;
import com.pulumi.gcp.dataproc.ClusterIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMMember("editor", ClusterIAMMemberArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMMember
properties:
cluster: your-dataproc-cluster
role: roles/editor
member: user:jane@example.com
The member property specifies a single principal to grant access. Unlike ClusterIAMBinding, this is non-authoritative: it adds one member without removing others. Multiple ClusterIAMMember resources can target the same role, making this the most granular option for distributed access management.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, and policy-level, role-level, and member-level control. They’re intentionally minimal rather than full access control solutions.
The examples reference pre-existing infrastructure such as Dataproc clusters, and GCP projects and regions. They focus on IAM policy configuration rather than provisioning the clusters themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Service account impersonation
- Custom role definitions
- IAM policy auditing and drift detection
These omissions are intentional: the goal is to illustrate how each IAM management approach is wired, not provide drop-in access control modules. See the Dataproc ClusterIAMPolicy resource reference for all available configuration options.
Let's configure GCP Dataproc Cluster IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
ClusterIAMPolicy is authoritative and replaces the entire IAM policy. ClusterIAMBinding is authoritative for a specific role but preserves other roles. ClusterIAMMember is non-authoritative and adds a single member while preserving other members for that role.ClusterIAMPolicy cannot be used with ClusterIAMBinding or ClusterIAMMember as they will conflict over policy control. Use ClusterIAMPolicy alone, or use ClusterIAMBinding/ClusterIAMMember without ClusterIAMPolicy.Configuration & Usage
gcp.organizations.getIAMPolicy data source to generate policy data, then pass it to the policyData property as shown in the examples.ClusterIAMPolicy replaces the entire IAM policy, which can accidentally remove existing permissions including cluster ownership. Ensure all necessary permissions are included in your policy data.Immutability & Limitations
cluster, project, and region properties are immutable and cannot be changed after creation.