Dataproc Serverless permissions and IAM roles

Identity and Access Management (IAM) lets you control user and group access to your project's resources. This document focuses on the IAM permissions relevant to Dataproc Serverless and the IAM roles that grant those permissions.

Dataproc Serverless permissions

Dataproc Serverless permissions allow users, including service accounts, to perform actions on Dataproc Serverless resources. For example, the dataproc.batches.create permission lets you create Dataproc Serverless batches in your project. You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

The following tables list the permissions necessary to call Dataproc Serverless APIs (methods). The tables are organized according to the APIs associated with each Dataproc Serverless resource (batches, sessions, sessionTemplates, and operations). For a listing of the Google Cloud permissions included in each role, see Dataproc roles.

Permission Scope:The scope of Dataproc Serverless permissions listed in the following tables is the containing Google Cloud project (cloud-platform scope). See Service account permissions.

Examples:

  • dataproc.batches.create permits the creation of batches in the containing project.
  • dataproc.sessions.create permits the creation of an interactive session in the containing project.
  • dataproc.operations.list permits the listing of details of Dataproc operations in the containing project.

Batch permissions

Method Required Permission(s)
projects.locations.batches.create dataproc.batches.create 1
projects.locations.batches.delete dataproc.batches.delete
projects.locations.batches.get dataproc.batches.get
projects.locations.batches.list dataproc.batches.list

1 dataproc.batches.create also requires dataproc.batches.get and dataproc.operations.get permissions to allow it to get status updates from the gcloud command-line tool.

Session permissions

Method Required Permission(s)
projects.locations.sessions.create dataproc.sessions.create 1
projects.locations.sessions.delete dataproc.sessions.delete
projects.locations.sessions.get dataproc.sessions.get
projects.locations.sessions.list dataproc.sessions.list
projects.locations.sessions.terminate dataproc.sessions.terminate

1 dataproc.sessions.create also requires dataproc.sessions.get and dataproc.operations.get permissions to allow it to get status updates from the gcloud command-line tool.

Session runtime template permissions

Method Required Permission(s)
projects.locations.sessionTemplates.create dataproc.sessionTemplates.create 1
projects.locations.sessionTemplates.delete dataproc.sessionTemplates.delete
projects.locations.sessionTemplates.get dataproc.sessionTemplates.get
projects.locations.sessionTemplates.list dataproc.sessionTemplates.list
projects.locations.sessionTemplates.update dataproc.sessionTemplates.update

1 dataproc.sessionTemplates.create also requires dataproc.sessionTemplates.get and dataproc.operations.get permissions to allow it to get status updates from the gcloud command-line tool.

Operations permissions

Method Required Permission(s)
projects.regions.operations.get dataproc.operations.get
projects.regions.operations.list dataproc.operations.list
projects.regions.operations.cancel 1 dataproc.operations.cancel
projects.regions.operations.delete dataproc.operations.delete
projects.regions.operations.getIamPolicy dataproc.operations.getIamPolicy
projects.regions.operations.setIamPolicy dataproc.operations.setIamPolicy

1 To cancel batch operations, dataproc.operations.cancel also requires dataproc.batches.cancel permission.

Dataproc Serverless roles

Dataproc Serverless IAM roles are a bundle of one or more permissions. You grant roles to users or groups to allow them to perform actions on the Dataproc Serverless resources in your project. For example, the Dataproc Viewer role contains the dataproc.batches and dataproc.sessions get and list permissions, which allow you to get and list Dataproc Serverless batches and sessions in a project.

The following table lists the Dataproc Serverless IAM roles and the permissions associated with each role:

Role ID Permissions
roles/dataproc.admin dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.cancel
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate
dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
roles/dataproc.editor dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.terminate
dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update
roles/dataproc.viewer dataproc.batches.get
dataproc.batches.list
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list

Project roles

You can also set permissions at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:

Project Role Permissions
Project Viewer All project permissions for read-only actions that preserve state (get, list)
Project Editor All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use, cancel, stop, start)
Project Owner All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing

Custom Roles

Dataproc batch permissions can be added to custom roles through the Google Cloud console or the gcloud command-line tool.

Managing IAM policies

You can get and set IAM policies using the Google Cloud console, the IAM API, or the gcloud command-line tool.

What's next