Dataproc Metastore IAM roles

Dataproc Metastore defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.

Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.

This page focuses on the IAM roles relevant to Dataproc Metastore.

Before you begin

Read the IAM documentation.

Dataproc Metastore roles

Identity and Access Management (IAM) Dataproc Metastore roles are a bundle of one or more permissions. You grant roles to principals to allow them to perform actions on the Dataproc Metastore resources in your project. For example, the Dataproc Metastore User role contains the metastore.*.get and metastore.*.list permissions, which allow a user to get and list Dataproc Metastore services, metadata imports, backups, and operations in a project.

The following table lists all Dataproc Metastore roles and the permissions associated with each role:

Role Permissions

Role	Permissions
Dataproc Metastore Admin (`roles/metastore.admin`) Full access to all Dataproc Metastore resources.	metastore.backups.* metastore.backups.create metastore.backups.delete metastore.backups.get metastore.backups.getIamPolicy metastore.backups.list metastore.backups.setIamPolicy metastore.backups.use metastore.federations.* metastore.federations.create metastore.federations.delete metastore.federations.get metastore.federations.getIamPolicy metastore.federations.list metastore.federations.setIamPolicy metastore.federations.update metastore.federations.use metastore.imports.* metastore.imports.create metastore.imports.get metastore.imports.list metastore.imports.update metastore.locations.* metastore.locations.get metastore.locations.list metastore.operations.* metastore.operations.cancel metastore.operations.delete metastore.operations.get metastore.operations.list metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore metastore.services.setIamPolicy metastore.services.update resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Editor (`roles/metastore.editor`) Read and write access to all Dataproc Metastore resources.	metastore.backups.create metastore.backups.delete metastore.backups.get metastore.backups.list metastore.backups.use metastore.federations.create metastore.federations.delete metastore.federations.get metastore.federations.list metastore.federations.update metastore.imports.* metastore.imports.create metastore.imports.get metastore.imports.list metastore.imports.update metastore.locations.* metastore.locations.get metastore.locations.list metastore.operations.* metastore.operations.cancel metastore.operations.delete metastore.operations.get metastore.operations.list metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore metastore.services.update resourcemanager.projects.get resourcemanager.projects.list
Metastore Federation Accessor (`roles/metastore.federationAccessor`) Access to the Metastore Federation resource.	metastore.federations.use
Dataproc Metastore Metadata Editor (`roles/metastore.metadataEditor`) Access to read and modify the metadata of databases and tables under those databases.	metastore.databases.create metastore.databases.delete metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.databases.update metastore.services.get metastore.services.use metastore.tables.create metastore.tables.delete metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list metastore.tables.update
Dataproc Metastore Metadata Mutate Admin (`roles/metastore.metadataMutateAdmin`) Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.	metastore.services.mutateMetadata
Dataproc Metastore Metadata Operator (`roles/metastore.metadataOperator`) Read-only access to Dataproc Metastore resources with additional metadata operations permission.	metastore.backups.create metastore.backups.delete metastore.backups.get metastore.backups.list metastore.backups.use metastore.imports.* metastore.imports.create metastore.imports.get metastore.imports.list metastore.imports.update metastore.locations.* metastore.locations.get metastore.locations.list metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Data Owner (`roles/metastore.metadataOwner`) Full access to the metadata of databases and tables under those databases.	metastore.databases.* metastore.databases.create metastore.databases.delete metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.databases.setIamPolicy metastore.databases.update metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.use metastore.tables.* metastore.tables.create metastore.tables.delete metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list metastore.tables.setIamPolicy metastore.tables.update
Dataproc Metastore Metadata Query Admin (`roles/metastore.metadataQueryAdmin`) Access to query metadata from a Dataproc Metastore service's underlying metadata store.	metastore.services.queryMetadata
Dataproc Metastore Metadata User (`roles/metastore.metadataUser`) Access to the Dataproc Metastore gRPC endpoint	metastore.databases.get metastore.databases.list metastore.services.get metastore.services.use
Dataproc Metastore Metadata Viewer (`roles/metastore.metadataViewer`) Access to read the metadata of databases and tables under those databases	metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.services.get metastore.services.use metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list
Dataproc Metastore Viewer (`roles/metastore.user`) Read-only access to all Dataproc Metastore resources.	metastore.backups.get metastore.backups.list metastore.federations.get metastore.federations.getIamPolicy metastore.federations.list metastore.imports.get metastore.imports.list metastore.locations.* metastore.locations.get metastore.locations.list metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list resourcemanager.projects.get resourcemanager.projects.list

Dataproc Metastore Admin

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore.backups.use

metastore.federations.*

metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Editor

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.update

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Metastore Federation Accessor

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

Dataproc Metastore Metadata Editor

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

Dataproc Metastore Metadata Mutate Admin

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

Dataproc Metastore Metadata Operator

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Data Owner

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.use

metastore.tables.*

metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update

Dataproc Metastore Metadata Query Admin

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

Dataproc Metastore Metadata User

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

Dataproc Metastore Metadata Viewer

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

Dataproc Metastore Viewer

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.get

metastore.imports.list

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

resourcemanager.projects.get

resourcemanager.projects.list

What's next

Learn how to create custom IAM roles.
Learn how to grant and manage roles.
See the Dataproc Metastore IAM permissions mapping.