The gcp:pubsub/schemaIamPolicy:SchemaIamPolicy resource, part of the Pulumi GCP provider, controls IAM permissions for Pub/Sub schemas. Three related resources provide different levels of control: SchemaIamPolicy (authoritative, replaces entire policy), SchemaIamBinding (authoritative for a specific role), and SchemaIamMember (non-authoritative, adds individual members). This guide focuses on three capabilities: authoritative policy replacement, role-level member binding, and incremental member addition.
These resources reference existing Pub/Sub schemas and have strict conflict rules. SchemaIamPolicy cannot be used with SchemaIamBinding or SchemaIamMember. SchemaIamBinding and SchemaIamMember can coexist only if they manage different roles. The examples are intentionally small. Combine them with your own schema definitions and access requirements.
Replace the entire IAM policy for a schema
When you need complete control over schema access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.pubsub.SchemaIamPolicy("policy", {
project: example.project,
schema: example.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.pubsub.SchemaIamPolicy("policy",
project=example["project"],
schema=example["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = pubsub.NewSchemaIamPolicy(ctx, "policy", &pubsub.SchemaIamPolicyArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.PubSub.SchemaIamPolicy("policy", new()
{
Project = example.Project,
Schema = example.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.pubsub.SchemaIamPolicy;
import com.pulumi.gcp.pubsub.SchemaIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new SchemaIamPolicy("policy", SchemaIamPolicyArgs.builder()
.project(example.project())
.schema(example.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:pubsub:SchemaIamPolicy
properties:
project: ${example.project}
schema: ${example.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts output from the getIAMPolicy data source, which defines bindings between roles and members. SchemaIamPolicy is authoritative: it replaces all existing IAM bindings on the schema. Use this when you want to define the complete permission set in one place.
Grant a role to multiple members at once
When multiple users or service accounts need the same access level, you can bind them all to a single role in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.pubsub.SchemaIamBinding("binding", {
project: example.project,
schema: example.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.pubsub.SchemaIamBinding("binding",
project=example["project"],
schema=example["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pubsub.NewSchemaIamBinding(ctx, "binding", &pubsub.SchemaIamBindingArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.PubSub.SchemaIamBinding("binding", new()
{
Project = example.Project,
Schema = example.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamBinding;
import com.pulumi.gcp.pubsub.SchemaIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new SchemaIamBinding("binding", SchemaIamBindingArgs.builder()
.project(example.project())
.schema(example.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:pubsub:SchemaIamBinding
properties:
project: ${example.project}
schema: ${example.name}
role: roles/viewer
members:
- user:jane@example.com
The members property lists all identities that should have the specified role. SchemaIamBinding is authoritative for the given role: it replaces all members for that role but preserves other roles on the schema. This is less aggressive than SchemaIamPolicy but still replaces the member list for the role you’re managing.
Add a single member to a role incrementally
When you need to grant access to one additional user without affecting existing permissions, you can add individual members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.pubsub.SchemaIamMember("member", {
project: example.project,
schema: example.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.pubsub.SchemaIamMember("member",
project=example["project"],
schema=example["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/pubsub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := pubsub.NewSchemaIamMember(ctx, "member", &pubsub.SchemaIamMemberArgs{
Project: pulumi.Any(example.Project),
Schema: pulumi.Any(example.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.PubSub.SchemaIamMember("member", new()
{
Project = example.Project,
Schema = example.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.pubsub.SchemaIamMember;
import com.pulumi.gcp.pubsub.SchemaIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new SchemaIamMember("member", SchemaIamMemberArgs.builder()
.project(example.project())
.schema(example.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:pubsub:SchemaIamMember
properties:
project: ${example.project}
schema: ${example.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies a single identity to grant the role. SchemaIamMember is non-authoritative: it adds the member without removing existing members for that role. This is the safest option for incremental changes when you don’t want to manage the complete member list.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative IAM management, and policy-level, role-level, and member-level control. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Pub/Sub schemas that need IAM permissions, and a GCP project with appropriate IAM permissions. They focus on IAM binding configuration rather than schema creation.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Custom role definitions
- Service account creation and management
- Schema creation and definition
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Pub/Sub Schema IAM Policy resource reference for all available configuration options.
Let's manage GCP Pub/Sub Schema IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
SchemaIamPolicy is authoritative and replaces the entire IAM policy. SchemaIamBinding is authoritative for a specific role, preserving other roles. SchemaIamMember is non-authoritative, adding a single member while preserving other members for that role.SchemaIamPolicy cannot be used with SchemaIamBinding or SchemaIamMember because they will conflict over the policy configuration.Configuration & Setup
gcp.organizations.getIAMPolicy data source with your desired bindings, then pass its policyData output to the SchemaIamPolicy resource.project, schema identifier, role (e.g., roles/viewer), and a members array (e.g., ["user:jane@example.com"]).Properties & Constraints
project and schema are immutable and cannot be changed after the resource is created.