Cloud Dataflow Access Control Guide

Overview

You can use Cloud Dataflow IAM roles to limit access for users within a project or organization, to just Cloud Dataflow-related resources, as opposed to granting users viewer, editor, or owner access to the entire Cloud Platform project.

This page focuses on how to use Cloud Dataflow's IAM roles. For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide.

Every Cloud Dataflow method requires the caller to have the necessary permissions. For a list of the permissions and roles Cloud Dataflow supports, see the following section.

Permissions and roles

This section summarizes the permissions and roles Cloud Dataflow IAM supports.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method	Required Permission(s)
`dataflow.jobs.create`	`dataflow.jobs.create`
`dataflow.jobs.cancel`	`dataflow.jobs.cancel`
`dataflow.jobs.updateContents`	`dataflow.jobs.updateContents`
`dataflow.jobs.list`	`dataflow.jobs.list`
`dataflow.jobs.get`	`dataflow.jobs.get`
`dataflow.jobs.drain`	`dataflow.jobs.drain`
`dataflow.messages.list`	`dataflow.messages.list`
`dataflow.metrics.get`	`dataflow.metrics.get`

Note: The Cloud Dataflow Worker role (roles/dataflow.worker) provides the permissions (dataflow.workItems.lease, dataflow.workItems.update, and dataflow.workItems.sendMessage) necessary for a Compute Engine service account to execute work units for a Apache Beam pipeline. It should typically only be assigned to such an account, and only includes the ability to request and update work from the Cloud Dataflow service.

Roles

The following table lists the Cloud Dataflow IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Role	includes permission(s)	for resource types:
`roles/dataflow.viewer`	`dataflow.<resource-type>.list` `dataflow.<resource-type>.get`	jobs, messages, metrics
`roles/dataflow.developer`	All of the above, as well as: `dataflow.jobs.create` `dataflow.jobs.drain` `dataflow.jobs.cancel`	jobs
`roles/dataflow.admin`	All of the above, as well as: `compute.machineTypes.get` `storage.buckets.get` `storage.objects.create` `storage.objects.get` `storage.objects.list`	NA
`roles/dataflow.worker` (for controller service accounts only)	`dataflow.jobs.get` `dataflow.jobs.list` `dataflow.workItems.lease` `dataflow.workItems.update` `dataflow.workItems.sendMessage` `logging.logEntries.create` `storage.objects.create` `storage.objects.get`	NA

Creating jobs

In order to a create a job, roles/dataflow.admin includes the minimal set of permissions required to run and examine jobs.

Alternatively, the following permissions are required:

The roles/dataflow.developer role, to instantiate the job itself.
The roles/compute.viewer role, to access machine type information and view other settings.
The roles/storage.objectAdmin role, to provide permission to stage files on Cloud Storage.

Example role assignment

To illustrate the utility of the different Cloud Dataflow roles, consider the following breakdown:

The developer who creates and examines jobs will need the roles/dataflow.admin role.
For more sophisticated permissions management, the developer interacting with the Cloud Dataflow job will need the roles/dataflow.developer role.
- They will need the roles/storage.objectAdmin or a related role in order to stage the required files.
- For debugging and quota checking, they will need the project roles/compute.viewer role.
- Absent other role assignments, this will allow the developer to create and cancel Cloud Dataflow jobs, but not interact with the individual VMs or access other Cloud services.
The [controller service account](security-and-permissions#controller_service_account needs the roles/dataflow.worker role to process data for the Cloud Dataflow service. It will need other roles (such as roles/storage.objectAdmin) in order to access job data.

Assigning Cloud Dataflow roles

Cloud Dataflow roles can currently be set on organizations and projects only.

To manage roles at the organizational level, see Access Control for Organizations Using IAM.

To set project-level roles, see Access control via the Google Cloud Platform Console.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated January 18, 2019.