Access control with IAM

Cloud Data Fusion uses Identity and Access Management (IAM) for access control.

When an application calls a Google Cloud API, IAM checks that the caller has an identity with the permissions required to use the resource.

You control access for Cloud Data Fusion at the project level. For example, you can grant access to all Cloud Data Fusion resources within a project to a group of developers.

For more information, see Granting, changing, and revoking access to resources.

Every Cloud Data Fusion API method requires the caller to have the necessary permissions.

Grant roles

You can grant roles to users at the project level using the Google Cloud console, the Resource Manager API, or the Google Cloud CLI. For instructions, see Granting, changing, and revoking access.

Required permissions

The following permissions are required to run Cloud Data Fusion. These permissions are automatically granted when you enable the Cloud Data Fusion API.

Role	Description	Permissions
Compute Engine and Networking	Lets users create peered networks between customer and tenant projects	`compute.globalOperations.get compute.networks.addPeering compute.networks.removePeering compute.networks.update compute.networks.get`
Dataproc	Grants permission to create and manage Dataproc clusters	`dataproc.editor compute.networkViewer`
Various storage	Provides a seamless data integration experience for Google Cloud storage services	`storage.admin bigquery.dataOwner bigquery.jobUser spanner.databaseUser spanner.viewer bigtable.admin`

Cloud Data Fusion roles

Cloud Data Fusion has the following roles. The lowest-level resource to which you can grant a role is a project.

Role	Description	Permissions
Cloud Data Fusion Admin (`roles/datafusion.admin`)	All viewer permissions, plus permissions to create, update, and delete Cloud Data Fusion instances. Has full access to Cloud Data Fusion UI. Can develop and run pipelines.	`datafusion.instances.get datafusion.instances.list datafusion.instances.create datafusion.instances.delete datafusion.instances.update datafusion.operations.get datafusion.operations.list datafusion.operations.cancel resourcemanager.projects.get resourcemanager.projects.list`
Cloud Data Fusion Viewer (`roles/datafusion.viewer`)	Has full access to Cloud Data Fusion UI. Permissions to view, create, manage, and run pipelines. Cannot create, update, or delete Cloud Data Fusion instances.	`datafusion.instances.get datafusion.instances.list datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list`
Cloud Data Fusion Runner (`roles/datafusion.runner`)	Granted to the Dataproc service account so that Dataproc is authorized to communicate the pipeline runtime information such as status, logs, and metrics to the Cloud Data Fusion services running in the tenant project.	`datafusion.instances.runtime`

Cloud Data Fusion API permissions

The following permissions required to run the Cloud Data Fusion API.

API	Permission
`instances.create`	`datafusion.instances.create`
`instances.delete`	`datafusion.instances.delete`
`instances.list`	`datafusion.instances.list`
`instances.get`	`datafusion.instances.get`
`instances.update`	`datafusion.instances.update`
`operations.cancel`	`datafusion.operations.cancel`
`operations.list`	`datafusion.operations.list`
`operations.get`	`datafusion.operations.get`

Permissions for common tasks

These common tasks require the following permissions:

Task	Permissions
Accessing the Identity-Aware Proxy-protected Cloud Data Fusion UI	`datafusion.instances.get`
Accessing the Cloud Data Fusion Instances page in the console	`datafusion.instances.list`
Accessing the Details page for an instance	`datafusion.instances.get`
Creating a new instance	`datafusion.instances.create`
Updating labels and advanced options to customize an instance	`datafusion.instances.update`
Deleting an instance	`datafusion.instances.delete`