Cloud Dataprep Permissions and IAM Roles

Overview

Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This document focuses on the IAM permissions relevant to Cloud Dataprep and the IAM roles that grant those permissions.

Cloud Dataprep Permissions

Cloud Dataprep permissions allow users to run the Cloud Dataprep application and access resources in your project. You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

Also see Dataflow Security and permissions for the service accounts used by Dataflow to manage security and permissions when it runs Dataprep jobs.

Cloud Dataprep Roles

Currently, there are two Cloud Dataprep roles:

  1. dataprep.projects.user, which includes the dataprep.projects.use permission. This role allows a user to run the Cloud Dataprep application in a project.

  2. dataprep.serviceAgent, which gives Trifacta, the third party that hosts the Cloud Dataprep application, roles and permissions to allow Trifacta to access and modify datasets and storage, and run and manage Cloud Dataprep jobs, within a project.

    Below is a Cloud Dataprep screenshot that asks users to grant Trifacta the necessary (dataprep.serviceAgent) project permissions as part of the Cloud Dataprep activation process.

The following table lists the Cloud Dataprep IAM roles and their included permissions and roles.

Cloud Dataprep Role Included Permissions/Roles
dataprep.projects.user permission: dataprep.projects.use
dataprep.serviceAgent permission: storage.buckets.get
permission: storage.buckets.list
roles/dataflow.developer
roles/bigquery.user
roles/bigquery.dataEditor
roles/storage.objectAdmin
roles/iam.serviceAccountUser

IAM management

You can get and set IAM policies using the Google Cloud console, the IAM API, or the Google Cloud CLI.

What's next