Izin minimum yang diperlukan untuk Akun Layanan Cloud Data Fusion
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Dokumen ini menjelaskan izin yang harus diberikan kepada
Akun Layanan Cloud Data Fusion saat Anda membuat peran kustom yang
memungkinkannya mengakses resource Anda.
Secara default, peran Identity and Access Management
Cloud Data Fusion API Service Agent
(roles/datafusion.serviceAgent) ditetapkan ke Akun Layanan Cloud Data Fusion. Peran ini sangat permisif.
Sebagai gantinya, Anda dapat menggunakan peran khusus untuk memberikan hanya izin yang diperlukan oleh akun utama akun layanan.
Untuk mengetahui informasi selengkapnya tentang cara membuat peran khusus, lihat artikel Membuat peran khusus.
Izin yang diperlukan untuk Akun Layanan Cloud Data Fusion
Saat membuat peran kustom untuk Akun Layanan Cloud Data Fusion, berikan izin berikut berdasarkan tugas yang akan Anda lakukan di instance. Hal ini memungkinkan Cloud Data Fusion mengakses resource Anda.
Tugas
Izin diperlukan
Mendapatkan cluster Dataproc
dataproc.clusters.get
Buat bucket Cloud Storage per instance Cloud Data Fusion
dan upload file untuk eksekusi tugas Dataproc
storage.buckets.get
storage.objects.get
storage.buckets.create
storage.objects.create
storage.objects.update
storage.buckets.delete
storage.objects.delete
Memublikasikan log ke Cloud Logging
logging.logEntries.create
Memublikasikan metrik Cloud ke Cloud Monitoring
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
Buat instance Cloud Data Fusion dengan
peering VPC
compute.globalOperations.get
compute.networks.addPeering
compute.networks.removePeering
compute.networks.update
compute.networks.get
Buat instance Cloud Data Fusion dengan
zona peering DNS
antara project pelanggan dan project tenant
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThis document outlines the necessary permissions for the Cloud Data Fusion Service Account when using custom roles to access resources, as opposed to the default highly permissive role.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles allow you to grant specific permissions to the service account principal, tailoring access to only what is needed for designated tasks.\u003c/p\u003e\n"],["\u003cp\u003ePermissions required for tasks such as instance creation, Dataproc cluster access, Cloud Storage interaction, and publishing logs or metrics are detailed in the provided table.\u003c/p\u003e\n"],["\u003cp\u003eAdditional configurations like VPC peering, DNS peering, and Private Service Connect each have their own specific permissions needed to create a Cloud Data Fusion instance.\u003c/p\u003e\n"]]],[],null,["# Minimum permissions required for the Cloud Data Fusion Service Account\n\nThis document explains which permissions to give to the\nCloud Data Fusion Service Account when you create a custom role that\nlets it access your resources.\n| **Note:** The principal name for the [Cloud Data Fusion Service Account](/data-fusion/docs/access-control#data-fusion-service-account) is `service-`\u003cvar translate=\"no\"\u003eCUSTOMER_PROJECT_NUMBER\u003c/var\u003e`@gcp-sa-datafusion.iam.gserviceaccount.com`\n\nBy default, the\n[Cloud Data Fusion API Service Agent](/iam/docs/understanding-roles#datafusion.serviceAgent)\n(`roles/datafusion.serviceAgent`) Identity and Access Management role is assigned to the\nCloud Data Fusion Service Account. This role is highly permissive.\nInstead, you can use custom roles to provide only the permissions that the\nservice account principal needs.\n\nFor more information about the Cloud Data Fusion service accounts, see\n[Service accounts in Cloud Data Fusion](/data-fusion/docs/concepts/service-accounts).\n\nFor more information about creating custom roles, see\n[Create a custom role](/iam/docs/creating-custom-roles#creating).\n\nRequired permissions for the Cloud Data Fusion Service Account\n--------------------------------------------------------------\n\nWhen you create a custom role for the Cloud Data Fusion Service Account,\ngive the following permissions based on the tasks you plan to perform in your\ninstance. This lets Cloud Data Fusion access your resources.\n\nWhat's next\n-----------\n\n- Learn more about [creating and managing custom roles](/iam/docs/creating-custom-roles).\n- Learn more about [access control options in Cloud Data Fusion](/data-fusion/docs/access-control)."]]
