This page describes how to grant a Google Cloud user account or service account access to basic Dataproc Metastore resources in a project. These roles described on this page provide access to create a Dataproc Metastore service.
Depending on the scope of control you want the account to have, you grant it one of these predefined IAM roles:
roles/metastore.editor
to grant full control of Dataproc Metastore resourcesroles/metastore.admin
to grant full control of Dataproc Metastore resources, including updating IAM permissions.
For detailed information about the specific IAM permissions these roles provide, see Dataproc Metastore IAM roles.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Dataproc Metastore API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Dataproc Metastore API.
Required Roles
You must have the roles/owner
(Owner) basic IAM role in the
Google Cloud project you are using, or a role that grants these permissions:
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
To gain these permissions while following the principle of least privilege,
ask your administrator to grant you the roles/resourcemanager.projectIamAdmin
(Project IAM Admin)
role.
How to grant access roles
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Run the following add-iam-policy-binding
command to grant a Dataproc Metastore predefined role to an IAM principal
(user account or service account).
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=PRINCIPAL \ --role=METASTORE_ROLE
Replace the following:
PROJECT_ID
: The ID of the project you want to enable Metastore access to.PRINCIPAL
: The type and email ID (email address) of the principal.- For user accounts: user:EMAIL_ID
- For service accounts: serviceAccount:EMAIL_ID
- For Google Groups: group:EMAIL_ID
METASTORE_ROLE
: One of the following values, depending on the role you want to grant the principal:roles/metastore.editor
, orroles/metastore.admin
. For details about the permissions these roles grant, see Dataproc Metastore IAM roles.