Overview
Identity and Access Management (IAM) allows you to control user and group access to your project's resources. This document focuses on the IAM permissions relevant to Dataproc Serverless and the IAM roles that grant those permissions.
Dataproc Serverless permissions
Dataproc Serverless permissions allow users, including
service accounts,
to perform actions on Dataproc Serverless
resources. For example, the dataproc.batches.create
permission allows you to create Dataproc Serverless batches in your project.
You don't directly give users permissions; instead, you grant them
roles, which have one or more permissions bundled within
them.
The following tables list the permissions necessary to call Dataproc Serverless APIs (methods). The tables are organized according to the APIs associated with each Dataproc Serverless resource (batches, sessions, sessionTemplates, and operations). For a listing of the Google Cloud permissions included in each role, see Dataproc roles.
Permission Scope:The scope of Dataproc Serverless
permissions listed in the following tables is the containing Google Cloud
project (cloud-platform
scope). See
Service account permissions.
Examples:
dataproc.batches.create
permits the creation of batches in the containing project.dataproc.sessions.create
permits the creation of an interactive session in the containing project.dataproc.operations.list
permits the listing of details of dataproc operations in the containing project.
Batch permissions
Method | Required Permission(s) |
---|---|
projects.locations.batches.create | dataproc.batches.create 1 |
projects.locations.batches.delete | dataproc.batches.delete |
projects.locations.batches.get | dataproc.batches.get |
projects.locations.batches.list | dataproc.batches.list |
dataproc.batches.create
also requiresdataproc.batches.get
anddataproc.operations.get
permissions to allow it to get status updates from thegcloud
command-line tool.
Session permissions
Method | Required Permission(s) |
---|---|
projects.locations.sessions.create | dataproc.sessions.create 1 |
projects.locations.sessions.delete | dataproc.sessions.delete |
projects.locations.sessions.get | dataproc.sessions.get |
projects.locations.sessions.list | dataproc.sessions.list |
projects.locations.sessions.terminate | dataproc.sessions.terminate |
1 dataproc.sessions.create
also requires dataproc.sessions.get
and
dataproc.operations.get
permissions to allow it to get status updates
from the gcloud
command-line tool.
Session runtime template permissions
Method | Required Permission(s) |
---|---|
projects.locations.sessionTemplates.create | dataproc.sessionTemplates.create 1 |
projects.locations.sessionTemplates.delete | dataproc.sessionTemplates.delete |
projects.locations.sessionTemplates.get | dataproc.sessionTemplates.get |
projects.locations.sessionTemplates.list | dataproc.sessionTemplates.list |
projects.locations.sessionTemplates.update | dataproc.sessionTemplates.update |
dataproc.sessionTemplates.create
also requiresdataproc.sessionTemplates.get
anddataproc.operations.get
permissions to allow it to get status updates from thegcloud
command-line tool.
Operations permissions
Method | Required Permission(s) |
---|---|
projects.regions.operations.get | dataproc.operations.get |
projects.regions.operations.list | dataproc.operations.list |
projects.regions.operations.cancel 1 | dataproc.operations.cancel |
projects.regions.operations.delete | dataproc.operations.delete |
projects.regions.operations.getIamPolicy | dataproc.operations.getIamPolicy |
projects.regions.operations.setIamPolicy | dataproc.operations.setIamPolicy |
- To cancel batch operations,
dataproc.operations.cancel
also requiresdataproc.batches.cancel
permission.
Dataproc Serverless roles
Dataproc Serverless IAM roles
are a bundle of one or more permissions.
You grant roles to users or groups to allow them to perform actions on the
Dataproc Serverless resources in your
project. For example, the Dataproc Viewer role contains the
dataproc.batches
and dataproc.sessions
get and list permissions, which
allow you to get and list Dataproc Serverless batches and sessions in a project.
The following table lists the Dataproc Serverless IAM roles and the permissions associated with each role:
Role ID | Permissions |
---|---|
roles/dataproc.admin | dataproc.batches.cancel dataproc.batches.create dataproc.batches.delete dataproc.batches.get dataproc.batches.list dataproc.batches.cancel dataproc.sessions.create dataproc.sessions.delete dataproc.sessions.get dataproc.sessions.list dataproc.sessions.terminate dataproc.sessionTemplates.create dataproc.sessionTemplates.delete dataproc.sessionTemplates.get dataproc.sessionTemplates.list dataproc.sessionTemplates.update |
roles/dataproc.editor | dataproc.batches.cancel dataproc.batches.create dataproc.batches.delete dataproc.batches.get dataproc.batches.list dataproc.sessions.create dataproc.sessions.delete dataproc.sessions.get dataproc.sessions.list dataproc.sessions.terminate dataproc.sessionTemplates.create dataproc.sessionTemplates.delete dataproc.sessionTemplates.get dataproc.sessionTemplates.list dataproc.sessionTemplates.update |
roles/dataproc.viewer | dataproc.batches.get dataproc.batches.list dataproc.sessions.get dataproc.sessions.list dataproc.sessionTemplates.get dataproc.sessionTemplates.list |
Project roles
You can also set permissions at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:
Project Role | Permissions |
---|---|
Project Viewer | All project permissions for read-only actions that preserve state (get, list) |
Project Editor | All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use, cancel, stop, start) |
Project Owner | All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing |
Custom Roles
Dataproc batch permissions can be added to custom roles through
the Google Cloud console or the gcloud
command-line tool.
IAM management
You can get and set IAM policies using the Google Cloud console, the IAM API, or the
gcloud
command-line tool.
- For the Google Cloud console, see Access control via the Google Cloud console.
- For the API, see Access control via the API.
- For the
gcloud
command-line tool, see Access control via the gcloud command-line tool.