Minimum permissions required for the Cloud Data Fusion Service Account

This document explains which permissions to give to the Cloud Data Fusion Service Account when you create a custom role that lets it access your resources.

By default, the Cloud Data Fusion API Service Agent (roles/datafusion.serviceAgent) Identity and Access Management role is assigned to the Cloud Data Fusion Service Account. This role is highly permissive. Instead, you can use custom roles to provide only the permissions that the service account principal needs.

For more information about the Cloud Data Fusion service accounts, see Service accounts in Cloud Data Fusion.

For more information about creating custom roles, see Create a custom role.

Required permissions for the Cloud Data Fusion Service Account

When you create a custom role for the Cloud Data Fusion Service Account, give the following permissions based on the tasks you plan to perform in your instance. This lets Cloud Data Fusion access your resources.

Task Permissions required
Create a Cloud Data Fusion instance
  • datafusion.instances.setIamPolicy
  • datafusion.instances.getIamPolicy
Get Dataproc clusters
  • dataproc.clusters.get
Create Cloud Storage bucket per Cloud Data Fusion instance and upload files for Dataproc job execution
  • storage.buckets.get
  • storage.objects.get
  • storage.buckets.create
  • storage.objects.create
  • storage.objects.update
  • storage.buckets.delete
  • storage.objects.delete
Publish logs to Cloud Logging
  • logging.logEntries.create
Publish Cloud metrics to Cloud Monitoring
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.timeSeries.create
Create a Cloud Data Fusion instance with VPC peering
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.removePeering
  • compute.networks.update
  • compute.networks.get
Create a Cloud Data Fusion instance with DNS peering zone between customer and tenant projects
  • dns.managedZones.create
  • dns.managedZones.delete
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
Create a Cloud Data Fusion instance with Private Service Connect
  • compute.networkAttachments.get
  • compute.networkAttachments.update
  • compute.networkAttachments.list

What's next