Dataproc Metastore IAM permissions

Dataproc Metastore permissions allow users to perform specific actions on Dataproc Metastore services, metadata imports, and operations. For example, the metastore.services.create permission allows a user to create Dataproc Metastore services in your project. You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

This page focuses on the IAM permissions relevant to Dataproc Metastore.

Before you begin

  • Read the IAM documentation.

Dataproc Metastore permissions

The following tables list the permissions necessary to call Dataproc Metastore API methods. The tables are organized according to the APIs associated with each Dataproc Metastore resource (locations, operations, services, imports, backups, databases, and tables).

Locations permissions

API Method IAM Permission
Get metastore.locations.get
List metastore.locations.list

Operations permissions

API Method IAM Permission
Delete metastore.operations.delete
Get metastore.operations.get
List metastore.operations.list

Services permissions

API Method IAM Permission
Create metastore.services.create
Delete metastore.services.delete
Get metastore.services.get
List metastore.services.list
Update metastore.services.update
ExportMetadata metastore.services.export
Restore metastore.services.restore
SetIamPolicy metastore.services.setIamPolicy
GetIamPolicy metastore.services.getIamPolicy

Imports permissions

API Method IAM Permission
Create metastore.imports.create
Get metastore.imports.get
List metastore.imports.list

Backups permissions

API Method IAM Permission
Create metastore.backups.create
Delete metastore.backups.delete
Get metastore.backups.get
List metastore.backups.list
Use metastore.backups.use

Dataproc Metastore permissions for tasks on metadata resources

The following table lists the permissions necessary to perform metadata management tasks. The databases and tables permissions are used with gRPC-enabled Dataproc Metastore services. They have no affect when used with services using Thrift endpoints.

Task IAM Permission
Accessing a Dataproc Metastore service's gRPC endpoint
and using Hive metastore methods
metastore.services.use
Accessing a database metastore.databases.get
Listing databases metastore.databases.list
Creating a new database metastore.databases.create
Deleting a database metastore.databases.delete
Updating a database metastore.databases.update
Accessing a table, accessing partitions metastore.tables.get
Listing databases metastore.tables.list
Creating a new database metastore.tables.create
Deleting a database metastore.tables.delete
Updating a database, adding or dropping partitions metastore.tables.update

What's next