terraform cannot use "principalSet://iam.googleapis.com/" members in bigquery datasets

[Persepheus]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.5.7
on linux_amd64

• provider registry.terraform.io/hashicorp/google v7.19.0
• provider registry.terraform.io/hashicorp/google-beta v7.19.0

Affected Resource(s)

google_bigquery_dataset_iam_policy
google_bigquery_dataset_iam_member

Terraform Configuration

locals {
  workforcepool = "dev-workforcepool"
}

resource "google_bigquery_dataset_iam_member" "workforce" {
  provider = google-beta

  project    = "workforceidentity-x"
  dataset_id = "test2"
  role       = "roles/bigquery.dataOwner"
  member     = "principalSet://iam.googleapis.com/locations/global/workforcePools/${local.workforcepool}/group/testgroup"
}

resource "google_bigquery_table_iam_member" "workforce" {
  project    = "workforceidentity-x"
  dataset_id = "test2"
  role       = "roles/bigquery.dataViewer"
  member     = "principalSet://iam.googleapis.com/locations/global/workforcePools/${local.workforcepool}/group/testgroup"
  table_id   = "test2"
}

data "google_iam_policy" "table" {
  binding {
    role    = "roles/bigquery.dataViewer"
    members = ["principalSet://iam.googleapis.com/locations/global/workforcePools/${local.workforcepool}/group/testgroup"]
  }
}

resource "google_bigquery_table_iam_policy" "this" {
  project     = "workforceidentity-x"
  dataset_id  = "test2"
  table_id    = "test2"
  policy_data = data.google_iam_policy.table.policy_data
}

data "google_iam_policy" "dataset" {
  provider = google-beta
  binding {
    role = "roles/bigquery.dataOwner"
    members = [
      "principalSet://iam.googleapis.com/locations/global/workforcePools/${local.workforcepool}/group/testgroup"
    ]
  }
}

resource "google_bigquery_dataset_iam_policy" "this" {
  provider = google-beta

  project     = "workforceidentity-x"
  dataset_id  = "test2"
  policy_data = data.google_iam_policy.dataset.policy_data
}

Debug Output

2026-02-13 10:30:44 [NTC] gitlab-terraform.sh: terraform_apply/terraform_run: terraform apply -auto-approve -backup=- -input=false -lock-timeout=60s -parallelism=50 /builds/cloudmgmt/google/dev/x/terraform-plan.zip
google_bigquery_dataset_iam_policy.this: Modifying... [id=projects/workforceidentity-x/datasets/test2]
╷
│ Error: Failed to parse BigQuery Dataset IAM member type: principalSet://iam.googleapis.com/locations/global/workforcePools/dev-workforcepool/group/testgroup
│
│ with google_bigquery_dataset_iam_policy.this,
│ on entitlements.tf line 49, in resource "google_bigquery_dataset_iam_policy" "this":
│ 49: resource "google_bigquery_dataset_iam_policy" "this" {
│
╵
2026-02-13 10:30:48 [ERR] gitlab-terraform.sh: terraform_apply/terraform_run/run: return code: 1

Expected Behavior

Dataset and table permissions are set

Actual Behavior

Table permissions are set, dataset fails:

2026-02-13 10:30:44 [NTC] gitlab-terraform.sh: terraform_apply/terraform_run: terraform apply -auto-approve -backup=- -input=false -lock-timeout=60s -parallelism=50 /builds/cloudmgmt/google/dev/x/terraform-plan.zip
google_bigquery_dataset_iam_policy.this: Modifying... [id=projects/workforceidentity-x/datasets/test2]
╷
│ Error: Failed to parse BigQuery Dataset IAM member type: principalSet://iam.googleapis.com/locations/global/workforcePools/dev-workforcepool/group/testgroup
│
│ with google_bigquery_dataset_iam_policy.this,
│ on entitlements.tf line 49, in resource "google_bigquery_dataset_iam_policy" "this":
│ 49: resource "google_bigquery_dataset_iam_policy" "this" {
│
╵
2026-02-13 10:30:48 [ERR] gitlab-terraform.sh: terraform_apply/terraform_run/run: return code: 1

Steps to reproduce

1. Set up a workforce identity pool
2. Set up test dataset and table
3. terraform apply the above code

Important Factoids

No response

References

No response

[SirGitsalot]

I think that when using principal:// or principalSet:// the member field needs a "iamMember:" prefix a la:

resource "google_bigquery_dataset_iam_member" "workforce" {
  provider = google-beta

  project    = "workforceidentity-x"
  dataset_id = "test2"
  role       = "roles/bigquery.dataOwner"
  member     = "iamMember:principalSet://iam.googleapis.com/locations/global/workforcePools/${local.workforcepool}/group/testgroup"
}

Could you give that a try?

[Persepheus]

Ok, that actually does work.
Can you link me any kind of documentation which I could have used to find that?

I also find it extremely inconsistent that in the table it works without "iamMember:", but in dataset it is needed. I would still call that a bug.

[ggtisc]

Hi @Persepheus

You can find this and all other configurations for all the Google provider resources on the terraform registry documentation

[Persepheus]

Thank you very much, datasets and tables are indeed documented differently.

[ggtisc]

You are welcome!

I hope you have good coding.