Access control

Overview

The Cloud Data Fusion API uses Identity and Access Management (IAM) for access control.

In the IAM, you can configure access control at the project level. For example, you can grant access to all Cloud Data Fusion API resources within a project to a group of developers.

For a detailed description of IAM and its features, see the IAM developer's guide. In particular, see its Managing IAM Policies section.

Every Cloud Data Fusion API method requires the caller to have the necessary permissions. See roles and permissions for more information.

Required permissions

The following table lists the permissions required to run Cloud Data Fusion. These permissions are automatically granted when the Cloud Data Fusion API is enabled.

Service Type Name Reason
Compute Engine and Networking Permission

compute.globalOperations.get
compute.networks.addPeering
compute.networks.removePeering
compute.networks.update
compute.networks.get
To create peered networks between consumer and tenant projects
Dataproc Role

dataproc.editor
compute.networkViewer
To create and manage Dataproc clusters
Various storage Role

storage.admin
bigquery.dataOwner
bigquery.jobUser
spanner.databaseUser
spanner.viewer
bigtable.admin
To provide a seamless data integration experience for Google Cloud storage services

Cloud Data Fusion roles

Role Title Description Permissions Lowest resource

roles/datafusion.admin
Cloud Data Fusion Admin
  • All viewer permissions, plus permissions to create, update, and delete Cloud Data Fusion instances.
  • Has full access to Data Fusion UI. Can develop, run pipelines.

datafusion.instances.get
datafusion.instances.list
datafusion.instances.create
datafusion.instances.delete
datafusion.instances.update
datafusion.operations.get
datafusion.operations.list
datafusion.operations.cancel
resourcemanager.projects.get
resourcemanager.projects.list
Project

roles/datafusion.viewer
Cloud Data Fusion Viewer
  • Has full access to Cloud Data Fusion UI. Permissions to view, create, manage, and run pipelines.
  • Cannot create, update, or delete Cloud Data Fusion instances.

datafusion.instances.get
datafusion.instances.list
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Project

roles/datafusion.runner
Cloud Data Fusion Runner
  • Granted to the Dataproc service account so that Dataproc is authorized to communicate the pipeline runtime information such as status, logs, and metrics to the Cloud Data Fusion services running in the tenant project.

datafusion.instances.runtime
Project

Cloud Data Fusion API permissions

This section lists the various permissions required to run the Cloud Data Fusion APIs.

API Permission

instances.create

datafusion.instances.create

instances.delete

datafusion.instances.delete

instances.list

datafusion.instances.list

instances.get

datafusion.instances.get

instances.update

datafusion.instances.update

operations.cancel

datafusion.operations.cancel

operations.list

datafusion.operations.list

operations.get

datafusion.operations.get

Permissions for common tasks

This section lists the permissions required to perform common tasks in Cloud Data Fusion.

Task Permissions
Accessing the Cloud IAP-protected Cloud Data Fusion graphical interface

datafusion.instances.get
View the instances page on the Cloud Console

datafusion.instances.list
View the details page of an instance

datafusion.instances.get
Create a new instance

datafusion.instances.create
Update the labels and advanced options to customize an instance

datafusion.instances.update
Delete an instance

datafusion.instances.delete

Access control via Cloud Console

To manage access control for your environments and projects, you can use the Cloud Console. To set access controls at the project level:

  1. Open the IAM page in the Cloud Console.
  2. Select your project, and click Continue.
  3. Click Add Member.
  4. Enter the email address of a new member to whom you have not granted any IAM role previously.
  5. To select the desired role, click the Down arrow.
  6. Click Add.
  7. Verify that the member is listed under the role that you granted.