The gcp:pubsub/schemaIamMember:SchemaIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Pub/Sub schemas by adding individual members to roles without affecting other members. This guide focuses on three IAM management approaches: adding single members, setting complete member lists, and replacing entire policies.
GCP provides three related resources for schema IAM: SchemaIamMember (non-authoritative, adds one member), SchemaIamBinding (authoritative for a role, sets all members), and SchemaIamPolicy (authoritative for the entire policy). SchemaIamPolicy cannot be used with the other two resources, as they will conflict. The examples are intentionally small. Combine them with your own schema definitions and organizational IAM structure.
Grant a role to a single member
Most IAM configurations add one user or service account to a role without affecting existing members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.pubsub.SchemaIamMember("member", {
project: example.project,
schema: example.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.pubsub.SchemaIamMember("member",
project=example["project"],
schema=example["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pubsub.NewSchemaIamMember(ctx, "member", &pubsub.SchemaIamMemberArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.PubSub.SchemaIamMember("member", new()
{
Project = example.Project,
Schema = example.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamMember;
import com.pulumi.gcp.pubsub.SchemaIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new SchemaIamMember("member", SchemaIamMemberArgs.builder()
.project(example.project())
.schema(example.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:pubsub:SchemaIamMember
properties:
project: ${example.project}
schema: ${example.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies the identity to grant access (user, service account, group, or domain). The role property defines the permission level. SchemaIamMember is non-authoritative: it adds this member to the role without removing other members who already have it.
Set all members for a role
When you need to define the complete list of members for a role, SchemaIamBinding replaces the member list while preserving other roles.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.pubsub.SchemaIamBinding("binding", {
project: example.project,
schema: example.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.pubsub.SchemaIamBinding("binding",
project=example["project"],
schema=example["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pubsub.NewSchemaIamBinding(ctx, "binding", &pubsub.SchemaIamBindingArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.PubSub.SchemaIamBinding("binding", new()
{
Project = example.Project,
Schema = example.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamBinding;
import com.pulumi.gcp.pubsub.SchemaIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new SchemaIamBinding("binding", SchemaIamBindingArgs.builder()
.project(example.project())
.schema(example.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:pubsub:SchemaIamBinding
properties:
project: ${example.project}
schema: ${example.name}
role: roles/viewer
members:
- user:jane@example.com
The members property takes an array of identities. SchemaIamBinding is authoritative for the specified role: it sets exactly these members and removes any others. Other roles on the schema remain unchanged. You can use SchemaIamBinding with SchemaIamMember only if they manage different roles.
Replace the entire IAM policy
SchemaIamPolicy sets the complete IAM policy, replacing any existing configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.pubsub.SchemaIamPolicy("policy", {
project: example.project,
schema: example.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.pubsub.SchemaIamPolicy("policy",
project=example["project"],
schema=example["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = pubsub.NewSchemaIamPolicy(ctx, "policy", &pubsub.SchemaIamPolicyArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.PubSub.SchemaIamPolicy("policy", new()
{
Project = example.Project,
Schema = example.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.pubsub.SchemaIamPolicy;
import com.pulumi.gcp.pubsub.SchemaIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new SchemaIamPolicy("policy", SchemaIamPolicyArgs.builder()
.project(example.project())
.schema(example.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:pubsub:SchemaIamPolicy
properties:
project: ${example.project}
schema: ${example.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property comes from getIAMPolicy, which defines all roles and members. SchemaIamPolicy is fully authoritative: it replaces the entire policy. This approach cannot be used alongside SchemaIamBinding or SchemaIamMember, as they will conflict over policy ownership.
Beyond these examples
These snippets focus on specific IAM management features: single-member grants, role-level member lists, and complete policy replacement. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Pub/Sub schemas and GCP projects. They focus on configuring IAM permissions rather than provisioning the schemas themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Federated identity configuration
- Service account creation and management
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Pub/Sub Schema IAM Member resource reference for all available configuration options.
Let's manage GCP Pub/Sub Schema IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Selection
SchemaIamPolicy cannot be used with SchemaIamBinding or SchemaIamMember, as they will conflict over the policy. Use SchemaIamPolicy alone for full control, or use SchemaIamBinding/SchemaIamMember together for incremental changes.SchemaIamPolicy is authoritative and replaces the entire IAM policy. SchemaIamBinding is authoritative for a specific role, preserving other roles. SchemaIamMember is non-authoritative, adding a single member while preserving other members for that role.Identity & Role Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.