Access control with IAM

Cloud Data Fusion uses Identity and Access Management (IAM) for access control.

When an application calls a Google Cloud API, IAM checks that the caller has an identity with the permissions required to use the resource.

You control access for Cloud Data Fusion at the project level. For example, you can grant access to all Cloud Data Fusion resources within a project to a group of developers.

For more information, see Granting, changing, and revoking access to resources.

Every Cloud Data Fusion API method requires the caller to have the necessary permissions.

Grant roles

You can grant roles to users at the project level using the Google Cloud Console, the Resource Manager API, or the gcloud command-line tool. For instructions, see Granting, changing, and revoking access.

Required permissions

The following permissions are required to run Cloud Data Fusion. These permissions are automatically granted when you enable the Cloud Data Fusion API.

Role Description Permissions
Compute Engine and Networking Lets users create peered networks between customer and tenant projects compute.globalOperations.get
compute.networks.addPeering
compute.networks.removePeering
compute.networks.update
compute.networks.get
Dataproc Grants permission to create and manage Dataproc clusters dataproc.editor
compute.networkViewer
Various storage Provides a seamless data integration experience for Google Cloud storage services storage.admin
bigquery.dataOwner
bigquery.jobUser
spanner.databaseUser
spanner.viewer
bigtable.admin

Cloud Data Fusion roles

Cloud Data Fusion has the following roles. The lowest-level resource to which you can grant a role is a project.

Role Description Permissions
Cloud Data Fusion Admin (roles/datafusion.admin)
  • All viewer permissions, plus permissions to create, update, and delete Cloud Data Fusion instances.
  • Has full access to Cloud Data Fusion UI. Can develop and run pipelines.
datafusion.instances.get
datafusion.instances.list
datafusion.instances.create
datafusion.instances.delete
datafusion.instances.update
datafusion.operations.get
datafusion.operations.list
datafusion.operations.cancel
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Viewer (roles/datafusion.viewer)
  • Has full access to Cloud Data Fusion UI. Permissions to view, create, manage, and run pipelines.
  • Cannot create, update, or delete Cloud Data Fusion instances.
datafusion.instances.get
datafusion.instances.list
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Runner (roles/datafusion.runner) Granted to the Dataproc service account so that Dataproc is authorized to communicate the pipeline runtime information such as status, logs, and metrics to the Cloud Data Fusion services running in the tenant project. datafusion.instances.runtime

Cloud Data Fusion API permissions

The following permissions required to run the Cloud Data Fusion API.

API Permission
instances.create datafusion.instances.create
instances.delete datafusion.instances.delete
instances.list datafusion.instances.list
instances.get datafusion.instances.get
instances.update datafusion.instances.update
operations.cancel datafusion.operations.cancel
operations.list datafusion.operations.list
operations.get datafusion.operations.get

Permissions for common tasks

These common tasks require the following permissions:

Task Permissions
Accessing the Identity-Aware Proxy-protected Cloud Data Fusion UI datafusion.instances.get
Accessing the Cloud Data Fusion Instances page in the Cloud Console datafusion.instances.list
Accessing the Details page for an instance datafusion.instances.get
Creating a new instance datafusion.instances.create
Updating labels and advanced options to customize an instance datafusion.instances.update
Deleting an instance datafusion.instances.delete