Permisos mínimos necesarios para la cuenta de servicio de Cloud Data Fusion
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
En este documento, se explican los permisos que debes otorgar a la cuenta de servicio de Cloud Data Fusion cuando creas un rol personalizado que le permite acceder a tus recursos.
.
De forma predeterminada, el rol de Identity and Access Management Agente de servicio de la API de Cloud Data Fusion (roles/datafusion.serviceAgent) se asigna a la cuenta de servicio de Cloud Data Fusion. Este rol es muy permisivo.
En su lugar, puedes usar roles personalizados para proporcionar solo los permisos que necesita la principal de la cuenta de servicio.
Para obtener más información sobre cómo crear roles personalizados, consulta Crea un rol personalizado.
Permisos necesarios para la cuenta de servicio de Cloud Data Fusion
Cuando crees un rol personalizado para la cuenta de servicio de Cloud Data Fusion, otorga los siguientes permisos según las tareas que planees realizar en tu instancia. Esto permite que Cloud Data Fusion acceda a tus recursos.
Tarea
Permisos necesarios
Obtén clústeres de Dataproc
dataproc.clusters.get
Crea un bucket de Cloud Storage por instancia de Cloud Data Fusion
y sube archivos para la ejecución del trabajo de Dataproc
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[[["\u003cp\u003eThis document outlines the necessary permissions for the Cloud Data Fusion Service Account when using custom roles to access resources, as opposed to the default highly permissive role.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles allow you to grant specific permissions to the service account principal, tailoring access to only what is needed for designated tasks.\u003c/p\u003e\n"],["\u003cp\u003ePermissions required for tasks such as instance creation, Dataproc cluster access, Cloud Storage interaction, and publishing logs or metrics are detailed in the provided table.\u003c/p\u003e\n"],["\u003cp\u003eAdditional configurations like VPC peering, DNS peering, and Private Service Connect each have their own specific permissions needed to create a Cloud Data Fusion instance.\u003c/p\u003e\n"]]],[],null,["# Minimum permissions required for the Cloud Data Fusion Service Account\n\nThis document explains which permissions to give to the\nCloud Data Fusion Service Account when you create a custom role that\nlets it access your resources.\n| **Note:** The principal name for the [Cloud Data Fusion Service Account](/data-fusion/docs/access-control#data-fusion-service-account) is `service-`\u003cvar translate=\"no\"\u003eCUSTOMER_PROJECT_NUMBER\u003c/var\u003e`@gcp-sa-datafusion.iam.gserviceaccount.com`\n\nBy default, the\n[Cloud Data Fusion API Service Agent](/iam/docs/understanding-roles#datafusion.serviceAgent)\n(`roles/datafusion.serviceAgent`) Identity and Access Management role is assigned to the\nCloud Data Fusion Service Account. This role is highly permissive.\nInstead, you can use custom roles to provide only the permissions that the\nservice account principal needs.\n\nFor more information about the Cloud Data Fusion service accounts, see\n[Service accounts in Cloud Data Fusion](/data-fusion/docs/concepts/service-accounts).\n\nFor more information about creating custom roles, see\n[Create a custom role](/iam/docs/creating-custom-roles#creating).\n\nRequired permissions for the Cloud Data Fusion Service Account\n--------------------------------------------------------------\n\nWhen you create a custom role for the Cloud Data Fusion Service Account,\ngive the following permissions based on the tasks you plan to perform in your\ninstance. This lets Cloud Data Fusion access your resources.\n\nWhat's next\n-----------\n\n- Learn more about [creating and managing custom roles](/iam/docs/creating-custom-roles).\n- Learn more about [access control options in Cloud Data Fusion](/data-fusion/docs/access-control)."]]
