Use case: Access control with namespace service accounts
Stay organized with collectionsSave and categorize content based on your preferences.
This page describes the use case where you control access to Google Cloud
resources at the namespace level when you migrate data from Cloud Storage to
BigQuery.
For better data isolation, you can associate a customized IAM
service account (known as aPer Namespace Service Account) with each
namespace. The customized IAM service account, which can be
different for different namespaces, lets you control access to
Google Cloud resources between namespaces for pipeline design-time
operations in Cloud Data Fusion, such as pipeline preview, Wrangler, and
pipeline validation.
In this use case, your marketing department migrates data from
Cloud Storage to BigQuery using Cloud Data Fusion.
The marketing department has three teams: A, B, and C.
Your objective is to establish a structured approach to control data access in
Cloud Storage through Cloud Data Fusion namespaces corresponding
to each team—A, B, and C, respectively.
Solution
The following steps show how you control access to Google Cloud resources
with namespace service accounts, preventing unauthorized access between the
datastores of different teams.
Associate an Identity and Access Management service account to each namespace
Set up the access control by adding a customized service account for
Team A—for example,team-a@pipeline-design-time-project.iam.gserviceaccount.com.
Figure 1: Add a customized service account for Team A.
Repeat the configuration steps for Teams B and C to set up access
control with similar customized service accounts.
Limit access to the Cloud Storage buckets
Limit the access to Cloud Storage buckets by giving appropriate
permissions:
Give the IAM service account thestorage.buckets.listpermission, required to list Cloud Storage buckets in the project.
For more information, seeListing buckets.
Give the IAM service account permission to access the
objects in particular buckets.
For example, grant theStorage Object Viewerrole to the IAM service account associated with the
namespaceteam_Aon the bucketteam_a1. This permission lets Team A view
and list objects and managed folders, along with their metadata, in that
bucket in an isolated design time environment.
Figure 2: On the Cloud StorageBucketspage, add the team as a principal and assign the Storage Object User role.
Create the Cloud Storage connection in the respective namespaces
Create Cloud Storage connection in each team's namespace:
In the Google Cloud console, go to the Cloud Data FusionInstancespage and open an instance in the Cloud Data Fusion web
interface.
Click the namespace you want to use—for example, the namespace for Team A.
Click theConnectionstab, and then clickAdd connection.
SelectGCSand configure the connection.
Figure 3: Configure the Cloud Storage
connection for the namespace.
Create a Cloud Storage connection for every namespace by
repeating the preceding steps. Each team can then interact with an isolated
copy of that resource for their design time operations.
Validate design time isolation for each namespace
Team A can validate the isolation at design by accessing Cloud Storage
buckets in their respective namespaces:
In the Google Cloud console, go to the Cloud Data FusionInstancespage and open an instance in the Cloud Data Fusion web
interface.
Select a namespace—for example the Team A namespace,team_A.
ClickmenuMenu>Wrangler.
ClickGCS.
In the bucket list, click theteam_a1bucket.
You can view the list of buckets because the Team A namespace hasstorage.buckets.listpermission.
When you click the bucket, you can view its contents because the Team A
namespace has the Storage Object Viewer role.
Figures 4 and 5: Check that Team A can access the
appropriate storage bucket.
Go back to the bucket list and click theteam_b1orteam_c1bucket.
The access is restricted, as you isolated this design time resource for
Team A using its namespace service account.
Figure 6: Check that Team A cannot access Team B and C
storage buckets.
What's next
Learn more aboutsecurityfeatures in Cloud Data Fusion.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis content details how to control access to Google Cloud resources at the namespace level in Cloud Data Fusion, using a customized IAM service account for each namespace to enhance data isolation.\u003c/p\u003e\n"],["\u003cp\u003eA practical scenario is presented where the marketing department, divided into three teams (A, B, and C), utilizes Cloud Data Fusion to migrate data from Cloud Storage to BigQuery, with each team operating within its own isolated namespace.\u003c/p\u003e\n"],["\u003cp\u003eAccess to Cloud Storage buckets is limited by granting the IAM service account \u003ccode\u003estorage.buckets.list\u003c/code\u003e permission and specific bucket access permissions like the Storage Object Viewer role.\u003c/p\u003e\n"],["\u003cp\u003eEach team creates a Cloud Storage connection within its respective namespace, allowing them to interact with an isolated copy of the resource during design-time operations, preventing unauthorized access between teams.\u003c/p\u003e\n"],["\u003cp\u003eThe isolation is validated by demonstrating that Team A can access its designated bucket (\u003ccode\u003eteam_a1\u003c/code\u003e) but is restricted from accessing buckets belonging to other teams (\u003ccode\u003eteam_b1\u003c/code\u003e or \u003ccode\u003eteam_c1\u003c/code\u003e).\u003c/p\u003e\n"]]],[],null,["# Use case: Access control with namespace service accounts\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes the use case where you control access to Google Cloud\nresources at the namespace level when you migrate data from Cloud Storage to\nBigQuery.\n\nTo control access to Google Cloud resources, namespaces in\nCloud Data Fusion use the [Cloud Data Fusion API Service Agent](/iam/docs/understanding-roles#datafusion.serviceAgent)\nby default.\n\nFor better data isolation, you can associate a customized IAM\nservice account (known as a *Per Namespace Service Account*) with each\nnamespace. The customized IAM service account, which can be\ndifferent for different namespaces, lets you control access to\nGoogle Cloud resources between namespaces for pipeline design-time\noperations in Cloud Data Fusion, such as pipeline preview, Wrangler, and\npipeline validation.\n\nFor more information, see [Access control with namespace service accounts](/data-fusion/docs/how-to/control-access-in-namespace).\n\nScenario\n--------\n\nIn this use case, your marketing department migrates data from\nCloud Storage to BigQuery using Cloud Data Fusion.\n\nThe marketing department has three teams: A, B, and C.\nYour objective is to establish a structured approach to control data access in\nCloud Storage through Cloud Data Fusion namespaces corresponding\nto each team---A, B, and C, respectively.\n\nSolution\n--------\n\nThe following steps show how you control access to Google Cloud resources\nwith namespace service accounts, preventing unauthorized access between the\ndatastores of different teams.\n\n### Associate an Identity and Access Management service account to each namespace\n\nConfigure an IAM service account in the namespace for each team\n(see\n[Configure a namespace service account](/data-fusion/docs/how-to/control-access-in-namespace#configure)):\n\n1. Set up the access control by adding a customized service account for\n Team A---for example,\n `team-a@pipeline-design-time-project.iam.gserviceaccount.com`.\n\n **Figure 1**: Add a customized service account for Team A.\n2. Repeat the configuration steps for Teams B and C to set up access\n control with similar customized service accounts.\n\n### Limit access to the Cloud Storage buckets\n\nLimit the access to Cloud Storage buckets by giving appropriate\npermissions:\n\n1. Give the IAM service account the `storage.buckets.list` permission, required to list Cloud Storage buckets in the project. For more information, see [Listing buckets](/storage/docs/listing-buckets#console-list-buckets).\n2. Give the IAM service account permission to access the\n objects in particular buckets.\n\n For example, grant the\n [Storage Object Viewer](/storage/docs/access-control/iam-roles#standard-roles)\n role to the IAM service account associated with the\n namespace `team_A` on the bucket `team_a1`. This permission lets Team A view\n and list objects and managed folders, along with their metadata, in that\n bucket in an isolated design time environment.\n **Figure 2** : On the Cloud Storage **Buckets** page, add the team as a principal and assign the Storage Object User role.\n\n### Create the Cloud Storage connection in the respective namespaces\n\nCreate Cloud Storage connection in each team's namespace:\n\n1. In the Google Cloud console, go to the Cloud Data Fusion\n **Instances** page and open an instance in the Cloud Data Fusion web\n interface.\n\n [Go to Instances](https://console.cloud.google.com/data-fusion/locations/-/instances)\n2. Click **System admin \\\u003e Configuration \\\u003e Namespaces**.\n\n3. Click the namespace you want to use---for example, the namespace for Team A.\n\n4. Click the **Connections** tab, and then click **Add connection**.\n\n5. Select **GCS** and configure the connection.\n\n **Figure 3**: Configure the Cloud Storage connection for the namespace.\n6. Create a Cloud Storage connection for every namespace by\n repeating the preceding steps. Each team can then interact with an isolated\n copy of that resource for their design time operations.\n\n### Validate design time isolation for each namespace\n\nTeam A can validate the isolation at design by accessing Cloud Storage\nbuckets in their respective namespaces:\n\n1. In the Google Cloud console, go to the Cloud Data Fusion\n **Instances** page and open an instance in the Cloud Data Fusion web\n interface.\n\n [Go to Instances](https://console.cloud.google.com/data-fusion/locations/-/instances)\n2. Click **System admin \\\u003e Configuration \\\u003e Namespaces**.\n\n3. Select a namespace---for example the Team A namespace, `team_A`.\n\n4. Click menu\n **Menu \\\u003e Wrangler**.\n\n5. Click **GCS**.\n\n6. In the bucket list, click the `team_a1` bucket.\n\n - You can view the list of buckets because the Team A namespace has\n `storage.buckets.list` permission.\n\n - When you click the bucket, you can view its contents because the Team A\n namespace has the Storage Object Viewer role.\n\n **Figures 4 and 5**: Check that Team A can access the appropriate storage bucket.\n7. Go back to the bucket list and click the `team_b1` or `team_c1` bucket.\n The access is restricted, as you isolated this design time resource for\n Team A using its namespace service account.\n\n **Figure 6**: Check that Team A cannot access Team B and C storage buckets.\n\nWhat's next\n-----------\n\n- Learn more about [security](/data-fusion/docs/concepts/security) features in Cloud Data Fusion."]]
