Cloud Data Fusion uses Identity and Access Management (IAM) for access control.
When an application calls a Google Cloud API, IAM checks that the caller has an identity with the permissions required to use the resource.
You control access for Cloud Data Fusion at the project level. For example, you can grant access to all Cloud Data Fusion resources within a project to a group of developers.
For more information, see Granting, changing, and revoking access to resources.
Every Cloud Data Fusion API method requires the caller to have the necessary permissions.
Grant roles
You can grant roles to users at the project level using the Google Cloud console, the Resource Manager API, or the Google Cloud CLI. For instructions, see Granting, changing, and revoking access.
Required permissions
The following permissions are required to run Cloud Data Fusion. These permissions are automatically granted when you enable the Cloud Data Fusion API.
Role | Description | Permissions |
---|---|---|
Compute Engine and Networking | Lets users create peered networks between customer and tenant projects |
compute.globalOperations.get
|
Dataproc | Grants permission to create and manage Dataproc clusters |
dataproc.editor
|
Various storage | Provides a seamless data integration experience for Google Cloud storage services |
storage.admin
|
Cloud Data Fusion roles
Cloud Data Fusion has the following roles. The lowest-level resource to which you can grant a role is a project.
Role | Description | Permissions |
---|---|---|
Cloud Data Fusion Admin (roles/datafusion.admin ) |
|
datafusion.instances.get
|
Cloud Data Fusion Viewer (roles/datafusion.viewer )
|
|
datafusion.instances.get
|
Cloud Data Fusion Runner (roles/datafusion.runner )
|
Granted to the Dataproc service account so that Dataproc is authorized to communicate the pipeline runtime information such as status, logs, and metrics to the Cloud Data Fusion services running in the tenant project. | datafusion.instances.runtime |
Cloud Data Fusion API permissions
The following permissions required to run the Cloud Data Fusion API.
API | Permission |
---|---|
instances.create |
datafusion.instances.create |
instances.delete |
datafusion.instances.delete |
instances.list |
datafusion.instances.list |
instances.get |
datafusion.instances.get |
instances.update |
datafusion.instances.update |
operations.cancel |
datafusion.operations.cancel |
operations.list |
datafusion.operations.list |
operations.get |
datafusion.operations.get |
Permissions for common tasks
These common tasks require the following permissions:
Task | Permissions |
---|---|
Accessing the Identity-Aware Proxy-protected Cloud Data Fusion UI | datafusion.instances.get |
Accessing the Cloud Data Fusion Instances page in the console | datafusion.instances.list |
Accessing the Details page for an instance | datafusion.instances.get |
Creating a new instance | datafusion.instances.create |
Updating labels and advanced options to customize an instance | datafusion.instances.update |
Deleting an instance | datafusion.instances.delete |