Background
Workforce identity federation allows you to use an external identity provider (IdP) to authenticate and authorize workforce employees, partners, and contractors to Google Cloud services.
If workforce identity federation is configured in your project, external identity users can use the Google Cloud console, Google Cloud CLI, and the Dataproc API to access most Dataproc resources and features, except the following:
- Dataproc Component Gateway
- Dataproc on GKE
- Dataproc Personal Authentication
- Dataproc Service Account Based Secure Multi-tenancy
- The Output section in the Batch and Job details pages and the Recommended Alerts section in the Cluster and Job list pages in the Google Cloud console.
How to use workforce identify federation with the Dataproc Component Gateway
Configure workforce identify federation by following the Configure workforce identity federation guide.
Grant external identity users the
dataproc.clusters.userole to allow access the Dataproc Component Gateway (see Grant IAM roles to principals).- For instructions on how to represent external identities in IAM policies, see Represent workforce pool users in IAM policies.
Access cluster web interfaces
See Viewing and Accessing Component Gateway URLs, and note the following differences for external identity users:
Only users that are authenticated with external identities can access the URL for external identities. If a user visits the URL for external identities while not logged in, they are redirected to the authentication portal where they specify their workforce pool provider name. Next, they are redirected to their identity provider to log in. Then, they are redirected to the component web interface.
External identities URLs have the following format:
https://UNIQUE_ID-dot-dataproc.byoid.googleusercontent.com
What's Next
- Create a cluster with Dataproc components.