Dataproc Metastore IAM roles

Dataproc Metastore defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow members to perform certain actions. When you add a new member to your project, you can use an IAM policy to give that member one or more IAM roles.

Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your members. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.

This document focuses on the IAM roles relevant to Dataproc Metastore.

Before you begin

  • Read the IAM documentation.

Dataproc Metastore roles

Identity and Access Management (IAM) Dataproc Metastore roles are a bundle of one or more permissions. You grant roles to members to allow them to perform actions on the Dataproc Metastore resources in your project. For example, the Dataproc Metastore User role contains the metastore.*.get and metastore.*.list permissions, which allow a user to get and list Dataproc Metastore services, metadata imports, and operations in a project.

Basic roles

The following table lists the basic roles and the permissions associated with each role:

Role ID Permissions
roles/owner metastore.*.create
metastore.*.update
metastore.*.delete
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
metastore.*.setIamPolicy
roles/editor metastore.*.create
metastore.*.update
metastore.*.delete
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
roles/viewer metastore.*.get
metastore.*.list
metastore.*.getIamPolicy

Notes:

  • "*" signifies resource types, such as "services," "imports," "backups," "locations," or "operations." Some permissions are not defined on certain resource types. For example, create, update, and delete are not valid permissions for "locations."
  • The owner role allows full control of Dataproc Metastore resources and IAM policy administration.
  • The editor role allows full control of Dataproc Metastore resources.
  • The viewer role allows a user to get and list Dataproc Metastore resources and IAM policy details.

You can assign basic roles at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:

Project Role Permissions
Project Owner All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing
Project Editor All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use)
Project Viewer All project permissions for read-only actions that preserve state (get, list)

Predefined roles

The following table lists the Dataproc Metastore predefined (or curated) roles and the permissions associated with each role:

Role ID Permissions
roles/metastore.admin metastore.*.create
metastore.*.update
metastore.*.delete
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
metastore.*.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
roles/metastore.editor metastore.*.create
metastore.*.update
metastore.*.delete
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
roles/metastore.user metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
roles/metastore.metadataOperator metastore.imports.create
metastore.imports.update
metastore.imports.delete
metastore.services.export
metastore.backups.create
metastore.backups.delete
metastore.backups.use
metastore.services.restore
metastore.*.get
metastore.*.list
metastore.*.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list

Notes:

  • "*" signifies resource types, such as "services," "imports," "backups," "locations," or "operations." Some permissions are not defined on certain resource types. For example, create, update, and delete are not valid permissions for "locations." In addition, the only permissions associated with "operations" are get, list, and delete.
  • The metastore.admin role grants full access to all Dataproc Metastore resources, including IAM policy administration.
  • The metastore.editor role grants read and write access to all Dataproc Metastore resources.
  • The metastore.user role grants read access to all Dataproc Metastore resources.

What's next