This document explains which permissions to give to the Cloud Data Fusion Service Account when you create a custom role that lets it access your resources.
By default, the Cloud Data Fusion API Service Agent
( roles/datafusion.serviceAgent
) Identity and Access Management role is assigned to the
Cloud Data Fusion Service Account. This role is highly permissive.
Instead, you can use custom roles to provide only the permissions that the
service account principal needs.
For more information about the Cloud Data Fusion service accounts, see Service accounts in Cloud Data Fusion .
For more information about creating custom roles, see Create a custom role .
Required permissions for the Cloud Data Fusion Service Account
When you create a custom role for the Cloud Data Fusion Service Account, give the following permissions based on the tasks you plan to perform in your instance. This lets Cloud Data Fusion access your resources.
-
dataproc.clusters.get
-
storage.buckets.get -
storage.objects.get -
storage.buckets.create -
storage.objects.create -
storage.objects.update -
storage.buckets.delete -
storage.objects.delete
-
logging.logEntries.create
-
monitoring.metricDescriptors.create -
monitoring.metricDescriptors.get -
monitoring.metricDescriptors.list -
monitoring.monitoredResourceDescriptors.get -
monitoring.monitoredResourceDescriptors.list -
monitoring.timeSeries.create
-
compute.globalOperations.get -
compute.networks.addPeering -
compute.networks.removePeering -
compute.networks.update -
compute.networks.get
-
dns.managedZones.create -
dns.managedZones.delete -
dns.managedZones.get -
dns.managedZones.list -
dns.networks.bindPrivateDNSZone -
dns.networks.targetWithPeeringZone
-
compute.networkAttachments.get -
compute.networkAttachments.update -
compute.networkAttachments.list
What's next
- Learn more about creating and managing custom roles .
- Learn more about access control options in Cloud Data Fusion .
