This document describes how to view and manage Identity and Access Management service account roles. A Dataproc Serverless for Spark batch workload or interactive session runs as the Compute Engine default service account, unless you specify a custom service account when you submit a batch workload, create a session, or create a session runtime template.
Required Dataproc Worker role
The Dataproc Serverless workload service account must have the Identity and Access Management
Dataproc Worker
role. The Compute Engine default service account
(project_number-compute@developer.gserviceaccount.com
)
that Dataproc Serverless uses has this role by default. If you specify your
own service account for your batch workload, session, or session template,
you must grant the Dataproc Worker role to your service account.
Additional roles may be necessary to for
other operations, such as reading and writing data to BigQuery.
View and manage IAM service account roles
To view and manage the roles granted to the Dataproc Serverless workload service account, do the following:
In the Google Cloud console, go to the IAM page.
Click Include Google-provided role grants.
View the roles listed for the workload service account. The following image shows the required Dataproc Worker role listed for the Compute Engine default service account (
project_number-compute@developer.gserviceaccount.com
) that Dataproc Serverless uses by default as the workload service account.You can click the pencil icon displayed on the service account row to grant or remove service account roles.