Stay organized with collectionsSave and categorize content based on your preferences.
Background
Workforce identity federationlets
you use an external identity provider (IdP) to authenticate and authorize
workforce employees, partners, and contractors to Google Cloud services.
If workforce identity federation isconfigured in your project,
external identity users can use the Google Cloud console, Google Cloud CLI,
and the Dataproc API to access most Dataproc
resources and features, except the following:
Only users that are authenticated with external identities can access the URL
for external identities. If a user visits the URL for external identities while
not logged in, they are redirected to the authentication portal where they
specify their workforce pool provider name. Next, they are redirected to their
identity provider to sign in. Then, they are redirected to the component
web interface.
External identities URLs have the following format:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document outlines how to enable external identity users, authenticated via workforce identity federation, to access Dataproc Component Gateway URLs in the Google Cloud console.\u003c/p\u003e\n"],["\u003cp\u003eWorkforce identity federation, when configured, allows external users to utilize the Google Cloud console, CLI, and Dataproc API for most Dataproc resources, but specific exceptions apply, including Component Gateway access.\u003c/p\u003e\n"],["\u003cp\u003eTo grant access, configure workforce identity federation, assign the \u003ccode\u003edataproc.clusters.use\u003c/code\u003e role to external identity users, and create a Dataproc cluster with Component Gateway enabled.\u003c/p\u003e\n"],["\u003cp\u003eExternal identity users can access Component Gateway URLs, which are unique to external identities and require authentication through the workforce pool provider and identity provider.\u003c/p\u003e\n"],["\u003cp\u003eExternal identities access Component Gateway URLs with a unique format: \u003ccode\u003ehttps://UNIQUE_ID-dot-dataproc.byoid.googleusercontent.com\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["| **Objective:** This document show you how to allow external identity users to click Dataproc [Component Gateway](/dataproc/docs/concepts/accessing/dataproc-gateways) URL links in the Google Cloud console to connect to component web interfaces running on the first master node of a Dataproc cluster.\n\nBackground\n\n[Workforce identity federation](/iam/docs/workforce-identity-federation) lets\nyou use an external identity provider (IdP) to authenticate and authorize\nworkforce employees, partners, and contractors to Google Cloud services.\n\nIf workforce identity federation is\n[configured in your project](/iam/docs/configuring-workforce-identity-federation#configure_workforce_identity_federation),\nexternal identity users can use the Google Cloud console, Google Cloud CLI,\nand the Dataproc API to access most Dataproc\nresources and features, except the following:\n\n- [Dataproc Component Gateway](/dataproc/docs/concepts/accessing/dataproc-gateways)\n- [Dataproc on GKE](/dataproc/docs/guides/dpgke/dataproc-gke-overview)\n- [Dataproc Personal Authentication](/dataproc/docs/concepts/iam/personal-auth)\u003c\u003e\n- [Dataproc Service Account Based Secure Multi-tenancy](/dataproc/docs/concepts/iam/sa-multi-tenancy)\n- The **Output** section in the Batch and Job details pages and the **Recommended Alerts** section in the Cluster and Job list pages in the Google Cloud console.\n\nUse workforce identify federation with the Dataproc Component Gateway\n\n1. Configure workforce identify federation by following\n the [Configure workforce identity federation](/iam/docs/configuring-workforce-identity-federation#configure_workforce_identity_federation)\n guide.\n\n2. Grant external identity users the\n [`dataproc.clusters.use`](/dataproc/docs/concepts/iam/iam#clusters_methods_required_permissions)\n role to allow access the Dataproc Component Gateway (see\n [Grant IAM roles to principals](/iam/docs/configuring-workforce-identity-federation#grant_roles_to_principals)).\n\n - For instructions on how to represent external identities in IAM policies, see [Represent workforce pool users in IAM\n policies](/iam/docs/configuring-workforce-identity-federation#representing-workforce-users).\n3. [Create a Dataproc cluster with Component Gateway enabled](/dataproc/docs/concepts/accessing/dataproc-gateways#rest-api).\n\nAccess cluster web interfaces\n\nSee [Viewing and Accessing Component Gateway URLs](/dataproc/docs/concepts/accessing/dataproc-gateways#viewing_and_accessing_component_gateway_urls),\nand note the following differences for external identity users:\n\n1. Only users that are authenticated with external identities can access the URL\n for external identities. If a user visits the URL for external identities while\n not logged in, they are redirected to the authentication portal where they\n specify their workforce pool provider name. Next, they are redirected to their\n identity provider to sign in. Then, they are redirected to the component\n web interface.\n\n2. External identities URLs have the following format:\n\n ```\n https://UNIQUE_ID-dot-dataproc.byoid.googleusercontent.com\n ```\n\nWhat's next\n\n- Create a cluster with [Dataproc components](/dataproc/docs/concepts/components/overview)."]]
