The gcp:pubsub/schemaIamPolicy:SchemaIamPolicy resource, part of the Pulumi GCP provider, controls IAM permissions for Pub/Sub schemas. This guide focuses on three approaches: authoritative policy replacement (SchemaIamPolicy), role-level member management (SchemaIamBinding), and individual member grants (SchemaIamMember).
These resources reference existing Pub/Sub schemas and require valid GCP projects and member identities. The examples are intentionally small. Combine them with your own schema definitions and organizational access patterns.
Replace the entire IAM policy for a schema
When you need complete control over schema access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.pubsub.SchemaIamPolicy("policy", {
project: example.project,
schema: example.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.pubsub.SchemaIamPolicy("policy",
project=example["project"],
schema=example["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = pubsub.NewSchemaIamPolicy(ctx, "policy", &pubsub.SchemaIamPolicyArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.PubSub.SchemaIamPolicy("policy", new()
{
Project = example.Project,
Schema = example.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.pubsub.SchemaIamPolicy;
import com.pulumi.gcp.pubsub.SchemaIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new SchemaIamPolicy("policy", SchemaIamPolicyArgs.builder()
.project(example.project())
.schema(example.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:pubsub:SchemaIamPolicy
properties:
project: ${example.project}
schema: ${example.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The SchemaIamPolicy resource is authoritative: it replaces the entire IAM policy for the schema. The policyData property comes from the getIAMPolicy data source, which defines bindings between roles and members. This approach gives you full control but requires managing all permissions in one place. SchemaIamPolicy cannot be used alongside SchemaIamBinding or SchemaIamMember, as they will conflict over policy ownership.
Grant a role to multiple members at once
When multiple users or service accounts need the same access level, you can bind them all to a single role in one resource.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.pubsub.SchemaIamBinding("binding", {
project: example.project,
schema: example.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.pubsub.SchemaIamBinding("binding",
project=example["project"],
schema=example["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pubsub.NewSchemaIamBinding(ctx, "binding", &pubsub.SchemaIamBindingArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.PubSub.SchemaIamBinding("binding", new()
{
Project = example.Project,
Schema = example.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamBinding;
import com.pulumi.gcp.pubsub.SchemaIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new SchemaIamBinding("binding", SchemaIamBindingArgs.builder()
.project(example.project())
.schema(example.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:pubsub:SchemaIamBinding
properties:
project: ${example.project}
schema: ${example.name}
role: roles/viewer
members:
- user:jane@example.com
The SchemaIamBinding resource is authoritative for a specific role: it sets the complete member list for that role while preserving other roles in the policy. The members property accepts a list of identity strings (users, service accounts, groups). You can use multiple SchemaIamBinding resources for different roles, but each role should be managed by only one binding resource.
Add a single member to a role incrementally
When you need to grant access to one user without affecting others, you can add them individually.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.pubsub.SchemaIamMember("member", {
project: example.project,
schema: example.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.pubsub.SchemaIamMember("member",
project=example["project"],
schema=example["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pubsub.NewSchemaIamMember(ctx, "member", &pubsub.SchemaIamMemberArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.PubSub.SchemaIamMember("member", new()
{
Project = example.Project,
Schema = example.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamMember;
import com.pulumi.gcp.pubsub.SchemaIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new SchemaIamMember("member", SchemaIamMemberArgs.builder()
.project(example.project())
.schema(example.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:pubsub:SchemaIamMember
properties:
project: ${example.project}
schema: ${example.name}
role: roles/viewer
member: user:jane@example.com
The SchemaIamMember resource is non-authoritative: it adds a single member to a role without removing other members. The member property takes one identity string. This approach works well when different teams or modules need to grant access independently. You can combine SchemaIamMember resources with SchemaIamBinding resources as long as they don’t manage the same role.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative IAM management, role-based access control, and policy data generation. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Pub/Sub schemas (by name), GCP projects, and user accounts or service accounts for member identities. They focus on configuring IAM permissions rather than creating the underlying schemas.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Custom role definitions
- Multiple roles in a single resource
- Audit logging configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Pub/Sub Schema IAM Policy resource reference for all available configuration options.
Let's manage GCP Pub/Sub Schema IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
SchemaIamPolicy cannot be used with SchemaIamBinding or SchemaIamMember because they’ll conflict over the policy state. Use SchemaIamPolicy alone, or use SchemaIamBinding/SchemaIamMember without SchemaIamPolicy.Resource Selection & Usage
SchemaIamPolicy is authoritative and replaces the entire IAM policy. SchemaIamBinding is authoritative for a specific role, preserving other roles. SchemaIamMember is non-authoritative, adding individual members while preserving existing members for that role.You have three options:
- Full policy control - Use
SchemaIamPolicywithgcp.organizations.getIAMPolicydata source - Role-level control - Use
SchemaIamBindingwithroleandmemberslist - Individual member - Use
SchemaIamMemberwithroleand singlemember
projects/{{project}}/schemas/{{name}}, {{project}}/{{name}}, or just {{name}}. Any variables not in the import command are taken from the provider configuration.