Dataproc Metastore defines several Identity and Access Management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.
Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.
This page focuses on the IAM roles relevant to Dataproc Metastore.
Before you begin
- Read the IAM documentation.
Dataproc Metastore roles
IAM Dataproc Metastore roles
are a bundle of one or more permissions.
You grant roles to principals to allow them to perform actions on the
Dataproc Metastore resources in your project. For example, the Dataproc Metastore Userrole contains the metastore.*.get
and metastore.*.list
permissions, which allow a user to get
and list Dataproc Metastore services, metadata imports, backups, and operations in a
project.
The following table lists all Dataproc Metastore roles and the permissions associated with each role:
Dataproc Metastore Admin
( roles/
)
Full access to all Dataproc Metastore resources.
metastore.backups.*
-
metastore.backups.create
-
metastore.backups.delete
-
metastore.backups.get
-
metastore.backups.getIamPolicy
-
metastore.backups.list
-
metastore.backups.setIamPolicy
-
metastore.backups.use
metastore.federations.*
-
metastore.federations.create
-
metastore.federations.delete
-
metastore.federations.get
-
metastore.
federations. getIamPolicy -
metastore.federations.list
-
metastore.
federations. setIamPolicy -
metastore.federations.update
-
metastore.federations.use
metastore.imports.*
-
metastore.imports.create
-
metastore.imports.get
-
metastore.imports.list
-
metastore.imports.update
metastore.locations.*
-
metastore.locations.get
-
metastore.locations.list
metastore.migrations.*
-
metastore.migrations.cancel
-
metastore.migrations.complete
-
metastore.migrations.delete
-
metastore.migrations.get
-
metastore.migrations.list
-
metastore.migrations.start
metastore.operations.*
-
metastore.operations.cancel
-
metastore.operations.delete
-
metastore.operations.get
-
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
metastore.
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Metastore Editor
( roles/
)
Read and write access to all Dataproc Metastore resources.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.update
metastore.imports.*
-
metastore.imports.create
-
metastore.imports.get
-
metastore.imports.list
-
metastore.imports.update
metastore.locations.*
-
metastore.locations.get
-
metastore.locations.list
metastore.migrations.*
-
metastore.migrations.cancel
-
metastore.migrations.complete
-
metastore.migrations.delete
-
metastore.migrations.get
-
metastore.migrations.list
-
metastore.migrations.start
metastore.operations.*
-
metastore.operations.cancel
-
metastore.operations.delete
-
metastore.operations.get
-
metastore.operations.list
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
Metastore Federation Accessor
( roles/
)
Access to the Metastore Federation resource.
metastore.federations.use
Dataproc Metastore Metadata Editor
( roles/
)
Access to read and modify the metadata of databases and tables under those databases.
metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.
metastore.databases.list
metastore.databases.update
metastore.services.get
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update
Dataproc Metastore Metadata Mutate Admin
( roles/
)
Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.
metastore.
Dataproc Metastore Metadata Operator
( roles/
)
Read-only access to Dataproc Metastore resources with additional metadata operations permission.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.imports.*
-
metastore.imports.create
-
metastore.imports.get
-
metastore.imports.list
-
metastore.imports.update
metastore.locations.*
-
metastore.locations.get
-
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Metastore Data Owner
( roles/
)
Full access to the metadata of databases and tables under those databases.
metastore.databases.*
-
metastore.databases.create
-
metastore.databases.delete
-
metastore.databases.get
-
metastore.
databases. getIamPolicy -
metastore.databases.list
-
metastore.
databases. setIamPolicy -
metastore.databases.update
metastore.services.get
metastore.
metastore.services.list
metastore.services.use
metastore.tables.*
-
metastore.tables.create
-
metastore.tables.delete
-
metastore.tables.get
-
metastore.tables.getIamPolicy
-
metastore.tables.list
-
metastore.tables.setIamPolicy
-
metastore.tables.update
Dataproc Metastore Metadata Query Admin
( roles/
)
Access to query metadata from a Dataproc Metastore service's underlying metadata store.
metastore.
Dataproc Metastore Metadata User
( roles/
)
Access to the Dataproc Metastore gRPC endpoint
metastore.databases.get
metastore.databases.list
metastore.services.get
metastore.services.use
Dataproc Metastore Metadata Viewer
( roles/
)
Access to read the metadata of databases and tables under those databases
metastore.databases.get
metastore.
metastore.databases.list
metastore.services.get
metastore.services.use
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
Dataproc Metastore Managed Migration Admin
( roles/
)
Access to Dataproc Metastore Managed Migration resources and workflow.
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
compute.autoscalers.create
compute.autoscalers.delete
compute.disks.create
compute.disks.delete
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.use
compute.
compute.
compute.
compute.instanceGroups.delete
compute.instanceGroups.use
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.machineTypes.list
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.use
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.use
compute.zones.list
datastream.
datastream.
datastream.objects.*
-
datastream.objects.get
-
datastream.objects.list
-
datastream.
objects. startBackfillJob -
datastream.
objects. stopBackfillJob
datastream.operations.get
datastream.
datastream.
datastream.streams.create
datastream.streams.delete
datastream.streams.get
datastream.streams.update
Dataproc Metastore Viewer
( roles/
)
Read-only access to all Dataproc Metastore resources.
metastore.backups.get
metastore.backups.list
metastore.federations.get
metastore.
metastore.federations.list
metastore.imports.get
metastore.imports.list
metastore.locations.*
-
metastore.locations.get
-
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
What's next
- Learn how to create custom IAM roles .
- Learn how to grant and manage roles .
- See the Dataproc Metastore IAM permissions mapping .