The gcp:dataproc/metastoreServiceIamMember:MetastoreServiceIamMember resource, part of the Pulumi GCP provider, grants IAM permissions on Dataproc Metastore services by adding individual members to roles. This guide focuses on three capabilities: single-member role grants, role-level member lists, and full policy replacement.
Three related resources manage Metastore IAM: MetastoreServiceIamMember (non-authoritative, adds one member), MetastoreServiceIamBinding (authoritative for a role, sets all members), and MetastoreServiceIamPolicy (authoritative for the entire policy). Policy cannot be used with Binding or Member; Binding and Member can coexist if they don’t target the same role. The examples are intentionally small. Combine them with your own Metastore services and identity management.
Grant a role to a single user
Most IAM configurations add permissions for one user or service account without affecting existing members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dataproc.MetastoreServiceIamMember("member", {
project: _default.project,
location: _default.location,
serviceId: _default.serviceId,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dataproc.MetastoreServiceIamMember("member",
project=default["project"],
location=default["location"],
service_id=default["serviceId"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewMetastoreServiceIamMember(ctx, "member", &dataproc.MetastoreServiceIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
ServiceId: pulumi.Any(_default.ServiceId),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Dataproc.MetastoreServiceIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
ServiceId = @default.ServiceId,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.MetastoreServiceIamMember;
import com.pulumi.gcp.dataproc.MetastoreServiceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new MetastoreServiceIamMember("member", MetastoreServiceIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.serviceId(default_.serviceId())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dataproc:MetastoreServiceIamMember
properties:
project: ${default.project}
location: ${default.location}
serviceId: ${default.serviceId}
role: roles/viewer
member: user:jane@example.com
The member property specifies the identity receiving access, using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property sets the permission level. This resource is non-authoritative: it adds the member to the role without removing others who already have access.
Define all members for a role
When you need to control exactly who has a specific role, a binding sets the complete member list.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.dataproc.MetastoreServiceIamBinding("binding", {
project: _default.project,
location: _default.location,
serviceId: _default.serviceId,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.dataproc.MetastoreServiceIamBinding("binding",
project=default["project"],
location=default["location"],
service_id=default["serviceId"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataproc.NewMetastoreServiceIamBinding(ctx, "binding", &dataproc.MetastoreServiceIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
ServiceId: pulumi.Any(_default.ServiceId),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Dataproc.MetastoreServiceIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
ServiceId = @default.ServiceId,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dataproc.MetastoreServiceIamBinding;
import com.pulumi.gcp.dataproc.MetastoreServiceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new MetastoreServiceIamBinding("binding", MetastoreServiceIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.serviceId(default_.serviceId())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:dataproc:MetastoreServiceIamBinding
properties:
project: ${default.project}
location: ${default.location}
serviceId: ${default.serviceId}
role: roles/viewer
members:
- user:jane@example.com
The members property takes an array of identities. This resource is authoritative for the specified role: it replaces any existing members for that role while preserving other roles in the policy. Use this when you want to ensure only specific identities have access.
Replace the entire IAM policy
Organizations managing IAM centrally sometimes set the complete policy for a service.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.dataproc.MetastoreServiceIamPolicy("policy", {
project: _default.project,
location: _default.location,
serviceId: _default.serviceId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.dataproc.MetastoreServiceIamPolicy("policy",
project=default["project"],
location=default["location"],
service_id=default["serviceId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dataproc"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = dataproc.NewMetastoreServiceIamPolicy(ctx, "policy", &dataproc.MetastoreServiceIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
ServiceId: pulumi.Any(_default.ServiceId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Dataproc.MetastoreServiceIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
ServiceId = @default.ServiceId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.dataproc.MetastoreServiceIamPolicy;
import com.pulumi.gcp.dataproc.MetastoreServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new MetastoreServiceIamPolicy("policy", MetastoreServiceIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.serviceId(default_.serviceId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:dataproc:MetastoreServiceIamPolicy
properties:
project: ${default.project}
location: ${default.location}
serviceId: ${default.serviceId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts output from getIAMPolicy, which defines all roles and their members. This resource is fully authoritative: it replaces the entire IAM policy. It cannot be used alongside MetastoreServiceIamBinding or MetastoreServiceIamMember, as they would conflict over policy ownership.
Beyond these examples
These snippets focus on specific IAM management approaches: single-member grants, role-level bindings, and full policy replacement. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as Dataproc Metastore services (by serviceId), GCP projects, and locations. They focus on granting permissions rather than provisioning the underlying services.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Federated identity configuration
- Policy conflict resolution between resource types
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Dataproc Metastore Service IAM Member resource reference for all available configuration options.
Let's manage GCP Dataproc Metastore Service IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
MetastoreServiceIamPolicy is authoritative and replaces the entire IAM policy. MetastoreServiceIamBinding is authoritative for a given role, preserving other roles. MetastoreServiceIamMember is non-authoritative, preserving other members for the role.MetastoreServiceIamPolicy with MetastoreServiceIamBinding or MetastoreServiceIamMember, as they will conflict. You can use MetastoreServiceIamBinding with MetastoreServiceIamMember only if they grant different roles.Identity & Role Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, and federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}.Resource Properties & Behavior
global. If not specified, the value is parsed from the parent resource identifier or taken from the provider configuration.location, member, project, role, serviceId, condition) are immutable and cannot be changed after creation.