Overview
Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This document focuses on the IAM permissions relevant to Dataproc Serverless and the IAM roles that grant those permissions.
Dataproc Serverless permissions
Dataproc Serverless permissions allow users, including
service accounts,
to perform actions on Dataproc Serverless
resources. For example, the dataproc.batches.create
permission allows you to create Dataproc Serverless batches in your project.
You don't directly give users permissions; instead, you grant them
roles, which have one or more permissions bundled within
them.
The following tables list the permissions necessary to call Dataproc Serverless APIs (methods). The tables are organized according to the APIs associated with each Dataproc Serverless resource (batches, sessions, sessionTemplates, and operations). For a listing of the Google Cloud permissions included in each role, see Dataproc roles.
Permission Scope:The scope of Dataproc Serverless
permissions listed in the following tables is the containing Google Cloud
project (cloud-platform scope). See
Service account permissions.
Examples:
dataproc.batches.createpermits the creation of batches in the containing project.dataproc.sessions.createpermits the creation of an interactive session in the containing project.dataproc.operations.listpermits the listing of details of dataproc operations in the containing project.
Batch permissions
| Method | Required Permission(s) |
|---|---|
| projects.locations.batches.create | dataproc.batches.create 1 |
| projects.locations.batches.delete | dataproc.batches.delete |
| projects.locations.batches.get | dataproc.batches.get |
| projects.locations.batches.list | dataproc.batches.list |
dataproc.batches.createalso requiresdataproc.batches.getanddataproc.operations.getpermissions to allow it to get status updates from thegcloudcommand-line tool.
Session permissions
| Method | Required Permission(s) |
|---|---|
| projects.locations.sessions.create | dataproc.sessions.create 1 |
| projects.locations.sessions.delete | dataproc.sessions.delete |
| projects.locations.sessions.get | dataproc.sessions.get |
| projects.locations.sessions.list | dataproc.sessions.list |
| projects.locations.sessions.terminate | dataproc.sessions.terminate |
1 dataproc.sessions.create also requires dataproc.sessions.get and
dataproc.operations.get permissions to allow it to get status updates
from the gcloud command-line tool.
Session runtime template permissions
| Method | Required Permission(s) |
|---|---|
| projects.locations.sessionTemplates.create | dataproc.sessionTemplates.create 1 |
| projects.locations.sessionTemplates.delete | dataproc.sessionTemplates.delete |
| projects.locations.sessionTemplates.get | dataproc.sessionTemplates.get |
| projects.locations.sessionTemplates.list | dataproc.sessionTemplates.list |
| projects.locations.sessionTemplates.update | dataproc.sessionTemplates.update |
dataproc.sessionTemplates.createalso requiresdataproc.sessionTemplates.getanddataproc.operations.getpermissions to allow it to get status updates from thegcloudcommand-line tool.
Operations permissions
| Method | Required Permission(s) |
|---|---|
| projects.regions.operations.get | dataproc.operations.get |
| projects.regions.operations.list | dataproc.operations.list |
| projects.regions.operations.cancel 1 | dataproc.operations.cancel |
| projects.regions.operations.delete | dataproc.operations.delete |
| projects.regions.operations.getIamPolicy | dataproc.operations.getIamPolicy |
| projects.regions.operations.setIamPolicy | dataproc.operations.setIamPolicy |
- To cancel batch operations,
dataproc.operations.cancelalso requiresdataproc.batches.cancelpermission.
Dataproc Serverless roles
Dataproc Serverless IAM roles
are a bundle of one or more permissions.
You grant roles to users or groups to allow them to perform actions on the
Dataproc Serverless resources in your
project. For example, the Dataproc Viewer role contains the
dataproc.batches and dataproc.sessions get and list permissions, which
allow you to get and list Dataproc Serverless batches and sessions in a project.
The following table lists the Dataproc Serverless IAM roles and the permissions associated with each role:
| Role ID | Permissions |
|---|---|
| roles/dataproc.admin | dataproc.batches.cancel dataproc.batches.create dataproc.batches.delete dataproc.batches.get dataproc.batches.list dataproc.batches.cancel dataproc.sessions.create dataproc.sessions.delete dataproc.sessions.get dataproc.sessions.list dataproc.sessions.terminate dataproc.sessionTemplates.create dataproc.sessionTemplates.delete dataproc.sessionTemplates.get dataproc.sessionTemplates.list dataproc.sessionTemplates.update |
| roles/dataproc.editor | dataproc.batches.cancel dataproc.batches.create dataproc.batches.delete dataproc.batches.get dataproc.batches.list dataproc.sessions.create dataproc.sessions.delete dataproc.sessions.get dataproc.sessions.list dataproc.sessions.terminate dataproc.sessionTemplates.create dataproc.sessionTemplates.delete dataproc.sessionTemplates.get dataproc.sessionTemplates.list dataproc.sessionTemplates.update |
| roles/dataproc.viewer | dataproc.batches.get dataproc.batches.list dataproc.sessions.get dataproc.sessions.list dataproc.sessionTemplates.get dataproc.sessionTemplates.list |
Project roles
You can also set permissions at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:
| Project Role | Permissions |
|---|---|
| Project Viewer | All project permissions for read-only actions that preserve state (get, list) |
| Project Editor | All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use, cancel, stop, start) |
| Project Owner | All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing |
Custom Roles
Dataproc batch permissions can be added to custom roles through
the Google Cloud console or the gcloud command-line tool.
IAM management
You can get and set IAM policies using the Google Cloud console, the IAM API, or the
gcloud command-line tool.
- For the Google Cloud console, see Access control via the Google Cloud console.
- For the API, see Access control via the API.
- For the
gcloudcommand-line tool, see Access control via the gcloud command-line tool.