The gcp:dataproc/clusterIAMPolicy:ClusterIAMPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Dataproc clusters, controlling who can access and operate cluster resources. This guide focuses on three approaches: authoritative policy replacement (ClusterIAMPolicy), role-level member binding (ClusterIAMBinding), and incremental member addition (ClusterIAMMember).
These resources reference existing Dataproc clusters and require project/region context. The examples are intentionally small. Combine them with your own cluster infrastructure and identity management strategy.
Replace the entire IAM policy for a cluster
When you need complete control over cluster permissions, you can define the entire IAM policy in one place and replace any existing access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/editor",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.dataproc.ClusterIAMPolicy("editor", {
project: "your-project",
region: "your-region",
cluster: "your-dataproc-cluster",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/editor",
"members": ["user:jane@example.com"],
}])
editor = gcp.dataproc.ClusterIAMPolicy("editor",
project="your-project",
region="your-region",
cluster="your-dataproc-cluster",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/editor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataproc.NewClusterIAMPolicy(ctx, "editor", &dataproc.ClusterIAMPolicyArgs{
Project: pulumi.String("your-project"),
Region: pulumi.String("your-region"),
Cluster: pulumi.String("your-dataproc-cluster"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.Dataproc.ClusterIAMPolicy("editor", new()
{
Project = "your-project",
Region = "your-region",
Cluster = "your-dataproc-cluster",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataproc.ClusterIAMPolicy;
import com.pulumi.gcp.dataproc.ClusterIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/editor")
.members("user:jane@example.com")
.build())
.build());
var editor = new ClusterIAMPolicy("editor", ClusterIAMPolicyArgs.builder()
.project("your-project")
.region("your-region")
.cluster("your-dataproc-cluster")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMPolicy
properties:
project: your-project
region: your-region
cluster: your-dataproc-cluster
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/editor
members:
- user:jane@example.com
ClusterIAMPolicy is authoritative: it replaces the cluster’s entire IAM policy with the policyData you provide. The getIAMPolicy data source generates policy data from bindings you define. The cluster, project, and region properties identify which cluster to manage. This approach gives you complete control but can accidentally remove existing permissions if you’re not careful.
Grant a role to multiple members at once
Teams often need to assign the same role to several users without affecting other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMBinding("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMBinding("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMBinding(ctx, "editor", &dataproc.ClusterIAMBindingArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMBinding("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMBinding;
import com.pulumi.gcp.dataproc.ClusterIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMBinding("editor", ClusterIAMBindingArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMBinding
properties:
cluster: your-dataproc-cluster
role: roles/editor
members:
- user:jane@example.com
ClusterIAMBinding is authoritative for a single role: it sets the complete member list for that role while preserving other roles on the cluster. The members property accepts a list of identities (users, service accounts, groups). This resource can coexist with ClusterIAMMember resources as long as they don’t manage the same role.
Add a single member to a role incrementally
When you want to grant access to one user without disturbing existing permissions, you can add members one at a time.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.dataproc.ClusterIAMMember("editor", {
cluster: "your-dataproc-cluster",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.dataproc.ClusterIAMMember("editor",
cluster="your-dataproc-cluster",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewClusterIAMMember(ctx, "editor", &dataproc.ClusterIAMMemberArgs{
Cluster: pulumi.String("your-dataproc-cluster"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.Dataproc.ClusterIAMMember("editor", new()
{
Cluster = "your-dataproc-cluster",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.ClusterIAMMember;
import com.pulumi.gcp.dataproc.ClusterIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new ClusterIAMMember("editor", ClusterIAMMemberArgs.builder()
.cluster("your-dataproc-cluster")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:dataproc:ClusterIAMMember
properties:
cluster: your-dataproc-cluster
role: roles/editor
member: user:jane@example.com
ClusterIAMMember is non-authoritative: it adds one member to a role without affecting other members who already have that role. The member property takes a single identity string. You can create multiple ClusterIAMMember resources for the same role, and they’ll combine additively. This is the safest option when you don’t want to manage the complete member list.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative policy replacement, role-level binding management, and incremental member addition. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Dataproc clusters and GCP project and region configuration. They focus on IAM policy structure rather than cluster provisioning.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Service account impersonation
- Custom role definitions
- IAM policy auditing and drift detection
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataproc ClusterIAMPolicy resource reference for all available configuration options.
Let's configure GCP Dataproc Cluster IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
ClusterIAMPolicy cannot be used alongside ClusterIAMBinding or ClusterIAMMember because they will conflict over the policy configuration.ClusterIAMPolicy replaces the entire IAM policy, so you can accidentally remove existing permissions including cluster ownership. Ensure all necessary bindings are included in your policy data.Resource Selection
Choose based on your needs:
- ClusterIAMPolicy - Set the complete IAM policy (authoritative, replaces everything)
- ClusterIAMBinding - Manage all members for a specific role (authoritative for that role)
- ClusterIAMMember - Add a single member to a role (non-authoritative, preserves other members)
ClusterIAMPolicy and ClusterIAMBinding) replace existing configuration, while non-authoritative (ClusterIAMMember) adds to existing configuration without removing other members.Configuration & Usage
ClusterIAMember with the cluster name, role, and member (e.g., user:jane@example.com).ClusterIAMBinding with the cluster name, role, and members array containing all users.