Workforce access to Dataproc Component Gateway

Background

Workforce identity federation allows you to use an external identity provider (IdP) to authenticate and authorize workforce employees, partners, and contractors to Google Cloud services.

If workforce identity federation is configured in your project, external identity users can use the Google Cloud console, Google Cloud CLI, and the Dataproc API to access most Dataproc resources and features, except the following:

How to use workforce identify federation with the Dataproc Component Gateway

  1. Configure workforce identify federation by following the Configure workforce identity federation guide.

  2. Grant external identity users the dataproc.clusters.use role to allow access the Dataproc Component Gateway (see Grant IAM roles to principals).

  3. Create a Dataproc cluster with Component Gateway enabled.

Access cluster web interfaces

See Viewing and Accessing Component Gateway URLs, and note the following differences for external identity users:

  1. Only users that are authenticated with external identities can access the URL for external identities. If a user visits the URL for external identities while not logged in, they are redirected to the authentication portal where they specify their workforce pool provider name. Next, they are redirected to their identity provider to log in. Then, they are redirected to the component web interface.

  2. External identities URLs have the following format:

    https://UNIQUE_ID-dot-dataproc.byoid.googleusercontent.com
    

What's Next