Manage GCP Pub/Sub Schema IAM Bindings

The gcp:pubsub/schemaIamBinding:SchemaIamBinding resource, part of the Pulumi GCP provider, grants IAM roles to members for Pub/Sub schemas, controlling who can view, edit, or manage schema definitions. This guide focuses on two capabilities: authoritative role assignment to multiple members and incremental member addition.

SchemaIamBinding is one of three IAM resources for schemas. SchemaIamPolicy replaces the entire policy (authoritative for all roles), SchemaIamBinding replaces all members for one role (authoritative for that role), and SchemaIamMember adds individual members without affecting others (non-authoritative). SchemaIamPolicy cannot be used with the other two resources, as they will conflict. SchemaIamBinding and SchemaIamMember can coexist if they manage different roles.

The examples reference existing schemas and Google Cloud identities. They’re intentionally small. Combine them with your own schema resources and identity management.

Grant a role to multiple members at once

When multiple users or service accounts need the same level of access, SchemaIamBinding assigns a role to all members in one resource.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.pubsub.SchemaIamBinding("binding", {
    project: example.project,
    schema: example.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.pubsub.SchemaIamBinding("binding",
    project=example["project"],
    schema=example["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := pubsub.NewSchemaIamBinding(ctx, "binding", &pubsub.SchemaIamBindingArgs{
			Project: pulumi.Any(example.Project),
			Schema:  pulumi.Any(example.Name),
			Role:    pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.PubSub.SchemaIamBinding("binding", new()
    {
        Project = example.Project,
        Schema = example.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamBinding;
import com.pulumi.gcp.pubsub.SchemaIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new SchemaIamBinding("binding", SchemaIamBindingArgs.builder()
            .project(example.project())
            .schema(example.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:pubsub:SchemaIamBinding
    properties:
      project: ${example.project}
      schema: ${example.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The role property specifies the IAM role to grant (e.g., roles/viewer for read access). The members array lists all identities that receive this role. This resource is authoritative for the specified role: it replaces any existing members for that role, but preserves other roles on the schema.

Add a single member to a role incrementally

Teams managing access incrementally can add one member at a time without replacing existing assignments.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.pubsub.SchemaIamMember("member", {
    project: example.project,
    schema: example.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.pubsub.SchemaIamMember("member",
    project=example["project"],
    schema=example["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := pubsub.NewSchemaIamMember(ctx, "member", &pubsub.SchemaIamMemberArgs{
			Project: pulumi.Any(example.Project),
			Schema:  pulumi.Any(example.Name),
			Role:    pulumi.String("roles/viewer"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.PubSub.SchemaIamMember("member", new()
    {
        Project = example.Project,
        Schema = example.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamMember;
import com.pulumi.gcp.pubsub.SchemaIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new SchemaIamMember("member", SchemaIamMemberArgs.builder()
            .project(example.project())
            .schema(example.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:pubsub:SchemaIamMember
    properties:
      project: ${example.project}
      schema: ${example.name}
      role: roles/viewer
      member: user:jane@example.com

The member property (singular) specifies one identity to add. Unlike SchemaIamBinding, SchemaIamMember is non-authoritative: it adds this member to the role without affecting other members already assigned. Use this when you need to grant access without knowing or modifying the full member list.

Beyond these examples

These snippets focus on specific schema IAM features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Pub/Sub schemas and Google Cloud users, service accounts, or groups. They focus on granting access rather than creating schemas or managing identities.

To keep things focused, common IAM patterns are omitted, including:

  • Conditional IAM bindings (condition property)
  • Full policy replacement (SchemaIamPolicy resource)
  • Custom role definitions

These omissions are intentional: the goal is to illustrate how schema access control is wired, not provide drop-in IAM modules. See the SchemaIamBinding resource reference for all available configuration options.

Let's manage GCP Pub/Sub Schema IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
What's the difference between SchemaIamPolicy, SchemaIamBinding, and SchemaIamMember?
SchemaIamPolicy is authoritative for the entire IAM policy and replaces any existing policy. SchemaIamBinding is authoritative for a specific role, preserving other roles in the policy. SchemaIamMember is non-authoritative, adding a single member to a role while preserving other members.
Can I use SchemaIamPolicy with SchemaIamBinding or SchemaIamMember?
No, SchemaIamPolicy cannot be used with SchemaIamBinding or SchemaIamMember because they will conflict over the policy state.
Can I use SchemaIamBinding and SchemaIamMember together?
Yes, but only if they grant different roles. Using both for the same role will cause conflicts.
IAM Configuration
What member identity formats are supported?

You can use:

  • Special identifiers: allUsers, allAuthenticatedUsers
  • Email formats: user:{email}, serviceAccount:{email}, group:{email}
  • Domains: domain:{domain} (G Suite domains)
  • Project roles: projectOwner:projectid, projectEditor:projectid, projectViewer:projectid
  • Federated identities: principal://iam.googleapis.com/... (workload/workforce pools)
What's the difference between `members` and `member`?
SchemaIamBinding uses members (plural, an array) to grant a role to multiple identities. SchemaIamMember uses member (singular, a string) to grant a role to one identity.
Custom Roles & Advanced Usage
How do I specify a custom role?
Custom roles must use the full format [projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.
Can I change the role or schema after creation?
No, both role and schema are immutable and cannot be changed after the resource is created.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides