The gcp:dataproc/metastoreFederationIamBinding:MetastoreFederationIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Dataproc Metastore Federation instances. This guide focuses on two capabilities: authoritative role bindings for multiple members and non-authoritative single-member additions.
IAM bindings reference existing Dataproc Metastore Federation instances and require appropriate project-level IAM permissions. The examples are intentionally small. Combine them with your own federation infrastructure and identity management strategy.
Grant a role to multiple members at once
Teams managing federation access often need to grant the same role to multiple users or service accounts simultaneously, such as when onboarding a team or configuring cross-project access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataproc.MetastoreFederationIamBinding("binding", {
project: _default.project,
location: _default.location,
federationId: _default.federationId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataproc.MetastoreFederationIamBinding("binding",
project=default["project"],
location=default["location"],
federation_id=default["federationId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewMetastoreFederationIamBinding(ctx, "binding", &dataproc.MetastoreFederationIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
FederationId: pulumi.Any(_default.FederationId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Dataproc.MetastoreFederationIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
FederationId = @default.FederationId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.MetastoreFederationIamBinding;
import com.pulumi.gcp.dataproc.MetastoreFederationIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new MetastoreFederationIamBinding("binding", MetastoreFederationIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.federationId(default_.federationId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataproc:MetastoreFederationIamBinding
properties:
project: ${default.project}
location: ${default.location}
federationId: ${default.federationId}
role: roles/viewer
members:
- user:jane@example.com
The binding resource is authoritative for the specified role: it replaces any existing members for that role on the federation. The members array accepts various identity formats including user emails, service accounts, groups, and federated identities. The federationId, location, and project properties identify which federation resource to bind the policy to.
Add a single member to a role incrementally
When you need to grant access to one additional user without affecting existing role assignments, the non-authoritative member resource preserves other members already granted the same role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataproc.MetastoreFederationIamMember("member", {
project: _default.project,
location: _default.location,
federationId: _default.federationId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataproc.MetastoreFederationIamMember("member",
project=default["project"],
location=default["location"],
federation_id=default["federationId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewMetastoreFederationIamMember(ctx, "member", &dataproc.MetastoreFederationIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
FederationId: pulumi.Any(_default.FederationId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Dataproc.MetastoreFederationIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
FederationId = @default.FederationId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.MetastoreFederationIamMember;
import com.pulumi.gcp.dataproc.MetastoreFederationIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new MetastoreFederationIamMember("member", MetastoreFederationIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.federationId(default_.federationId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataproc:MetastoreFederationIamMember
properties:
project: ${default.project}
location: ${default.location}
federationId: ${default.federationId}
role: roles/viewer
member: user:jane@example.com
Unlike the binding resource, the member resource is non-authoritative: it adds one identity to a role without replacing existing members. This approach works well when multiple teams manage access independently. The member property accepts a single identity in the same formats as the members array in bindings.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Dataproc Metastore Federation instances and GCP projects with appropriate IAM permissions. They focus on configuring IAM bindings rather than provisioning the federation itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (MetastoreFederationIamPolicy)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the Dataproc Metastore Federation IAM Binding resource reference for all available configuration options.
Let's manage GCP Dataproc Metastore Federation IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
MetastoreFederationIamPolicy is authoritative and replaces the entire IAM policy. MetastoreFederationIamBinding is authoritative for a specific role but preserves other roles. MetastoreFederationIamMember is non-authoritative and preserves other members for the same role.MetastoreFederationIamPolicy cannot be used with MetastoreFederationIamBinding or MetastoreFederationIamMember because they’ll conflict over policy control.Configuration & Identity Formats
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, or federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}.MetastoreFederationIamBinding with the role property and a members array containing all the identities you want to grant access to.