Overview
To limit access for users within a project or organization, you can use Dataflow IAM roles. You can restrict access to Dataflow-related resources, as opposed to granting users viewer, editor, or owner access to the entire Google Cloud project.
This page focuses on how to use Dataflow's IAM roles. For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide.
Every Dataflow method requires the caller to have the necessary permissions. For a list of the permissions and roles Dataflow supports, see the following section.
Permissions and roles
This section summarizes the permissions and roles Dataflow IAM supports.
Required permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permissions |
|---|---|
dataflow.jobs.create |
dataflow.jobs.create |
dataflow.jobs.cancel |
dataflow.jobs.cancel |
dataflow.jobs.updateContents |
dataflow.jobs.updateContents |
dataflow.jobs.list |
dataflow.jobs.list |
dataflow.jobs.get |
dataflow.jobs.get |
dataflow.messages.list |
dataflow.messages.list |
dataflow.metrics.get |
dataflow.metrics.get |
Roles
The following table lists the Dataflow IAM roles with a corresponding list of all the permissions each role includes. Every permission is applicable to a particular resource type.
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataflow Admin | Minimal role for creating and managing dataflow jobs. |
compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list |
|
roles/ |
Dataflow Developer | Provides the permissions necessary to execute and manipulate Dataflow jobs. |
dataflow.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Dataflow Viewer | Provides read-only access to all Dataflow-related resources. |
dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Dataflow Worker | Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. |
compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get |
Project |
The Dataflow Worker role (roles/dataflow.worker)
provides the permissions (dataflow.workItems.lease,
dataflow.workItems.update, and dataflow.workItems.sendMessage)
necessary for a Compute Engine service account to execute work units
for an Apache Beam pipeline. It should typically only be assigned to such an account,
and only includes the ability to request and update work from the Dataflow
service.
The Dataflow Service Agent role (roles/dataflow.serviceAgent)
provides a Dataflow
service account
access to managed resources. This Service Agent role is assigned to a
Dataflow service account when you create a
Dataflow project. You cannot assign this role.
Creating jobs
To a create a job, roles/dataflow.admin includes
the minimal set of permissions required to run and examine jobs.
Alternatively, the following permissions are required:
- The
roles/dataflow.developerrole, to instantiate the job itself. - The
roles/compute.viewerrole, to access machine type information and view other settings. - The
roles/storage.objectAdminrole, to provide permission to stage files on Cloud Storage.
Example role assignment
To illustrate the utility of the different Dataflow roles, consider the following breakdown:
- The developer who creates and examines jobs needs the
roles/dataflow.adminrole. - For more sophisticated permissions management, the developer interacting with the Dataflow job needs the
roles/dataflow.developerrole.- They need the
roles/storage.objectAdminor a related role to stage the required files. - For debugging and quota checking, they need the project
roles/compute.viewerrole. - Absent other role assignments, this role allows the developer to create and cancel Dataflow jobs, but not interact with the individual VMs or access other Cloud services.
- They need the
- The controller service account needs the
roles/dataflow.workerrole to process data for the Dataflow service. To access job data, the service accounts needs other roles such asroles/storage.objectAdmin.
Assigning Dataflow roles
Dataflow roles can currently be set on organizations and projects only.
To manage roles at the organizational level, see Access Control for Organizations Using IAM.
To set project-level roles, see Granting, changing, and revoking access to resources.