Identity and Access Management(IAM)を使用すると、プロジェクトのリソースに対するユーザーとグループのアクセスを制御できます。このドキュメントでは、Apache Spark 用サーバーレスに関係する IAM の権限と、それらの権限を付与する IAM ロールについて説明します。
次の表に、Serverless for Apache Spark API(メソッド)を呼び出すために必要な権限を示します。表は、各 Serverless for Apache Spark リソース(バッチ、セッション、sessionTemplates、オペレーション)に関連付けられた API ごとに整理されています。各ロールに含まれる Google Cloud 権限のリストについては、Dataproc のロールをご覧ください。
権限の範囲: 次の表に示す Serverless for Apache Spark の権限の範囲は、含まれる Google Cloudプロジェクト(cloud-platform 範囲)です。サービス アカウントの権限をご覧ください。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[[["\u003cp\u003eIdentity and Access Management (IAM) controls user and group access to project resources, including Dataproc Serverless.\u003c/p\u003e\n"],["\u003cp\u003eDataproc Serverless permissions allow users, including service accounts, to perform specific actions, such as creating batches or sessions, on Dataproc Serverless resources.\u003c/p\u003e\n"],["\u003cp\u003eUsers are granted roles, not individual permissions, and these roles bundle one or more permissions necessary for specific actions on Dataproc Serverless.\u003c/p\u003e\n"],["\u003cp\u003eTo perform certain operations, like creating batches or sessions, additional permissions, such as getting status updates, are often required.\u003c/p\u003e\n"],["\u003cp\u003eIAM policies can be managed through the Google Cloud console, the IAM API, or the \u003ccode\u003egcloud\u003c/code\u003e command-line tool to define access to Dataproc Serverless resources.\u003c/p\u003e\n"]]],[],null,["# Serverless for Apache Spark permissions and IAM roles\n\n[Identity and Access Management (IAM)](/iam) lets you control\nuser and group access to your project's resources. This document focuses on\nthe IAM permissions relevant to Serverless for Apache Spark and the IAM roles\nthat grant those permissions.\n\nServerless for Apache Spark permissions\n---------------------------------------\n\n| **Note:** Security requirement: You are required to have [service account `ActAs` permission](/iam/docs/service-accounts-actas) to deploy Serverless for Apache Spark resources, for example, to create clusters, submit jobs, and instantiate workflows. See [Roles for service account\n| authentication](/iam/docs/service-account-permissions) for detailed information.\n\nServerless for Apache Spark permissions allow users, including\n[service accounts](/compute/docs/access/service-accounts),\nto perform actions on Serverless for Apache Spark\nresources. For example, the `dataproc.batches.create`\npermission lets you create Serverless for Apache Spark batches in your project.\nYou don't directly give users permissions; instead, you grant them\n[roles](#roles), which have one or more permissions bundled within\nthem.\n\nThe following tables list the permissions necessary to call Serverless for Apache Spark\nAPIs (methods). The tables are organized according to the APIs associated with\neach Serverless for Apache Spark resource (batches, sessions, sessionTemplates, and\noperations). For a listing of the Google Cloud permissions included in each role, see\n[Dataproc roles](/iam/docs/understanding-roles#dataproc-roles).\n\n\n**Permission Scope:** The scope of Serverless for Apache Spark\npermissions listed in the following tables is the containing Google Cloud\nproject (`cloud-platform` scope). See\n[Service account permissions](/compute/docs/access/service-accounts#service_account_permissions).\n\nExamples:\n\n- `dataproc.batches.create` permits the creation of batches in the containing project.\n- `dataproc.sessions.create` permits the creation of an interactive session in the containing project.\n- `dataproc.operations.list` permits the listing of details of Dataproc operations in the containing project.\n\n### Batch permissions\n\n^1^ `dataproc.batches.create` also requires `dataproc.batches.get` and\n`dataproc.operations.get` permissions to allow it to get status updates\nfrom the `gcloud` command-line tool.\n\n### Session permissions\n\n^1^ `dataproc.sessions.create` also requires `dataproc.sessions.get` and\n`dataproc.operations.get` permissions to allow it to get status updates\nfrom the `gcloud` command-line tool.\n\n### Session runtime template permissions\n\n^1^ `dataproc.sessionTemplates.create` also requires `dataproc.sessionTemplates.get` and\n`dataproc.operations.get` permissions to allow it to get status updates\nfrom the `gcloud` command-line tool.\n\n### Operations permissions\n\n^1^ To cancel batch operations, `dataproc.operations.cancel` also requires\n`dataproc.batches.cancel` permission.\n\nServerless for Apache Spark roles\n---------------------------------\n\n[Serverless for Apache Spark IAM roles](/iam/docs/understanding-roles#dataproc-roles)\nare a bundle of one or more [permissions](#permissions).\nYou grant roles to users or groups to allow them to perform actions on the\nServerless for Apache Spark resources in your\nproject. For example, the **Dataproc Viewer** role contains the\n`dataproc.batches` and `dataproc.sessions` get and list permissions, which\nallow you to get and list Serverless for Apache Spark batches and sessions in a project.\n\nThe following table lists the Serverless for Apache Spark IAM roles and\nthe permissions associated with each role:\n\nProject roles\n-------------\n\nYou can also set permissions at the project level by using the IAM\n**Project** roles. Here is a summary of the permissions associated with\nIAM Project roles:\n\nCustom Roles\n------------\n\nDataproc batch permissions can be added to custom roles through\nthe Google Cloud console or the `gcloud` command-line tool.\n\nManaging IAM policies\n---------------------\n\nYou can get and set IAM policies using the Google Cloud console, the IAM API, or the\n`gcloud` command-line tool.\n\n- For the Google Cloud console, see [Access control using the Google Cloud console](/iam/docs/managing-policies#access_control_via_console).\n- For the API, see [Access control using the API](/iam/docs/managing-policies#access_control_via_api).\n- For the `gcloud` command-line tool, see [Access control using the Google Cloud CLI command-line tool](/iam/docs/managing-policies#access_control_via_the_gcloud_tool).\n\nWhat's next\n-----------\n\n- [Learn more about IAM](/iam)."]]