This document explains which permissions to give to the Cloud Data Fusion Service Account when you create a custom role that lets it access your resources.
By default, the
Cloud Data Fusion API Service Agent
(roles/datafusion.serviceAgent) Identity and Access Management role is assigned to the
Cloud Data Fusion Service Account. This role is highly permissive.
Instead, you can use custom roles to provide only the permissions that the
service account principal needs.
For more information about the Cloud Data Fusion service accounts, see Service accounts in Cloud Data Fusion.
For more information about creating custom roles, see Create a custom role.
Required permissions for the Cloud Data Fusion Service Account
When you create a custom role for the Cloud Data Fusion Service Account, give the following permissions based on the tasks you plan to perform in your instance. This lets Cloud Data Fusion access your resources.
| Task | Permissions required |
|---|---|
| Create a Cloud Data Fusion instance |
|
| Get Dataproc clusters |
|
| Create Cloud Storage bucket per Cloud Data Fusion instance and upload files for Dataproc job execution |
|
| Publish logs to Cloud Logging |
|
| Publish Cloud metrics to Cloud Monitoring |
|
| Create a Cloud Data Fusion instance with VPC peering |
|
| Create a Cloud Data Fusion instance with DNS peering zone between customer and tenant projects |
|
| Create a Cloud Data Fusion instance with Private Service Connect |
|
What's next
- Learn more about creating and managing custom roles.
- Learn more about access control options in Cloud Data Fusion.