Dataproc Metastore IAM roles

Dataproc Metastore defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.

Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.

This page focuses on the IAM roles relevant to Dataproc Metastore.

Before you begin

  • Read the IAM documentation.

Dataproc Metastore roles

Identity and Access Management (IAM) Dataproc Metastore roles are a bundle of one or more permissions. You grant roles to principals to allow them to perform actions on the Dataproc Metastore resources in your project. For example, the Dataproc Metastore User role contains the metastore.*.get and metastore.*.list permissions, which allow a user to get and list Dataproc Metastore services, metadata imports, backups, and operations in a project.

Basic roles

The following table lists the basic roles and the permissions associated with each role:

Role ID Permissions
roles/owner metastore.*.create
metastore.*.update
metastore.*.delete
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
metastore.*.setIamPolicy
roles/editor metastore.*.create
metastore.*.update
metastore.*.delete
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
roles/viewer metastore.*.get
metastore.*.list
metastore.*.getIamPolicy

Notes:

  • "*" signifies resource types, such as "services," "imports," "backups," "locations," or "operations." Some permissions are not defined on certain resource types. For example, create, update, and delete are not valid permissions for "locations." In addition, the only permissions associated with "operations" are get, list, cancel, and delete.
  • The owner role allows full control of Dataproc Metastore resources and IAM policy administration.
  • The editor role allows full control of Dataproc Metastore resources.
  • The viewer role allows a user to get and list Dataproc Metastore resources and IAM policy details.

You can assign basic roles at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:

Project Role Permissions
Project Owner All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing
Project Editor All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use)
Project Viewer All project permissions for read-only actions that preserve state (get, list)

Predefined roles

The following table lists the Dataproc Metastore predefined (or curated) roles and the permissions associated with each role:

Role ID Permissions
roles/metastore.admin metastore.services.create
metastore.services.update
metastore.services.delete
metastore.services.get
metastore.services.list
metastore.services.getIamPolicy
metastore.services.setIamPolicy
metastore.services.export
metastore.services.restore
metastore.imports.create
metastore.imports.update
metastore.imports.delete
metastore.imports.get
metastore.imports.list
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.getIamPolicy
metastore.backups.setIamPolicy
metastore.locations.get
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.operations.cancel
metastore.operations.delete
metastore.federations.create
metastore.federations.update
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.getIamPolicy
metastore.federations.setIamPolicy
roles/metastore.editor metastore.services.create
metastore.services.update
metastore.services.delete
metastore.services.get
metastore.services.list
metastore.services.getIamPolicy
metastore.services.export
metastore.services.restore
metastore.imports.create
metastore.imports.update
metastore.imports.delete
metastore.imports.get
metastore.imports.list
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.getIamPolicy
metastore.locations.get
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.operations.cancel
metastore.operations.delete
metastore.federations.create
metastore.federations.update
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.getIamPolicy
roles/metastore.user metastore.services.get
metastore.services.list
metastore.services.getIamPolicy
metastore.imports.get
metastore.imports.list
metastore.backups.get
metastore.backups.list
metastore.backups.getIamPolicy
metastore.locations.get
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.federations.get
metastore.federations.list
metastore.federations.getIamPolicy
roles/metastore.metadataOperator metastore.services.get
metastore.services.list
metastore.services.getIamPolicy
metastore.imports.create
metastore.imports.update
metastore.imports.delete
metastore.imports.get
metastore.imports.list
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.locations.get
metastore.locations.list
metastore.operations.get
metastore.operations.list
metastore.federations.get
metastore.federations.list
metastore.federations.getIamPolicy

Notes:

  • Some permissions are not defined on certain resource types. For example, create, update, and delete are not valid permissions for "locations." In addition, the only permissions associated with "operations" are get, list, cancel, and delete.
  • The metastore.admin role grants full access to all Dataproc Metastore resources, including IAM policy administration.
  • The metastore.editor role grants read and write access to all Dataproc Metastore resources.
  • The metastore.user role grants read access to all Dataproc Metastore resources.
  • The metastore.metadataOperator, metastore.metadataOwner, and metastore.metadataEditor roles grant read and modify access to the metadata of databases and tables under those databases.
  • The metastore.metadataViewer and `metastore.metadataUser roles grant read access to the metadata of databases and tables under those databases.

Predefined roles for metadata resources

The following table lists the Dataproc Metastore predefined (or curated) roles for metadata resources and details associated with each role:

Predefined role Description Permissions Operations a principal can perform when this role is assigned to them
Metadata Owner role (metastore.metadataOwner) Grants full access to the metadata resources and their IAM policies. metastore.services.get
metastore.services.list
metastore.services.getIamPolicy
metastore.services.use
metastore.databases.*
metastore.tables.*		 In a service:
  • Can access databases
  • Can list databases
  • Can create databases
  • Can delete databases
  • Can update databases
  • Can set the IAM access control policy on the databases
  • Can get the IAM access control policy on the databases
  • Can access tables
  • Can list tables
  • Can create tables
  • Can delete tables
  • Can update tables
  • Can set the IAM access control policy on the tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
  • Can add partitions
  • Can delete partitions
  • Can update partitions
In a database:
  • Can access databases
  • Can delete databases
  • Can update databases
  • Can set the IAM access control policy on the databases
  • Can get the IAM access control policy on the databases
  • Can access tables
  • Can list tables
  • Can create tables
  • Can delete tables
  • Can update tables
  • Can set the IAM access control policy on the tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
  • Can add partitions
  • Can delete partitions
  • Can update partitions
In a table:
  • Can access tables
  • Can delete tables
  • Can update tables
  • Can set the IAM access control policy on the tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
  • Can add partitions
  • Can delete partitions
  • Can update partitions
Metadata Editor role (metastore.metadataEditor) Grants access to a principal to create and modify metadata resources. metastore.services.get
metastore.services.use
metastore.databases.create
metastore.databases.update
metastore.databases.delete
metastore.databases.get
metastore.databases.list
metastore.databases.getIamPolicy
metastore.tables.create
metastore.tables.update
metastore.tables.delete
metastore.tables.get
metastore.tables.list
metastore.tables.getIamPolicy 		In a service:
  • Can access databases
  • Can list databases
  • Can create databases
  • Can delete databases
  • Can update databases
  • Can get the IAM access control policy on the databases
  • Can access tables
  • Can list tables
  • Can create tables
  • Can delete tables
  • Can update tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
  • Can add partitions
  • Can delete partitions
  • Can update partitions
In a database:
  • Can access databases
  • Can delete databases
  • Can update databases
  • Can get the IAM access control policy on the databases
  • Can access tables
  • Can list tables
  • Can create tables
  • Can delete tables
  • Can update tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
  • Can add partitions
  • Can delete partitions
  • Can update partitions
In a table:
  • Can access tables
  • Can delete tables
  • Can update tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
  • Can add partitions
  • Can delete partitions
  • Can update partitions
Metadata Viewer role (metastore.metadataViewer) Grants access to a principal to view metadata resources. metastore.services.get
metastore.services.use
metastore.databases.get
metastore.databases.list
metastore.databases.getIamPolicy
metastore.tables.get
metastore.tables.list
metastore.tables.getIamPolicy		 In a service:
  • Can access databases
  • Can list databases
  • Can get the IAM access control policy on the databases
  • Can access tables
  • Can list tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
In a database:
  • Can access databases
  • Can get the IAM access control policy on the databases
  • Can access tables
  • Can list tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
In a table:
  • Can access tables
  • Can get the IAM access control policy on the tables
  • Can access partitions
  • Can list partitions
Metadata User role (metastore.metadataUser) Grants access to a principal to use a Dataproc Metastore service's gRPC endpoint. Must be granted in the service-level policy or above. metastore.services.get
metastore.services.use
metastore.databases.get
metastore.databases.list		 In a service:
  • Can access databases
  • Can list databases
  • Can call methods unrelated to specific metadata resources
Federation Accessor role (metastore.federationAccessor) Grants access to the metastore federation resource. Must be granted in the service-level policy or above. metastore.federations.use Grants access to the metastore federation resource.
  • "*" signifies methods, such as "create," "update," "delete," "get," or "list."
  • The databases and tables permissions are used with gRPC-enabled Dataproc Metastore services. They have no effect when used with services using Thrift endpoints.

What's next