Minimum permissions required for the Cloud Data Fusion Service Account
Stay organized with collections
Save and categorize content based on your preferences.
This document explains which permissions to give to the
Cloud Data Fusion Service Account when you create a custom role that
lets it access your resources.
By default, the
Cloud Data Fusion API Service Agent
(roles/datafusion.serviceAgent) Identity and Access Management role is assigned to the
Cloud Data Fusion Service Account. This role is highly permissive.
Instead, you can use custom roles to provide only the permissions that the
service account principal needs.
Required permissions for the Cloud Data Fusion Service Account
When you create a custom role for the Cloud Data Fusion Service Account,
give the following permissions based on the tasks you plan to perform in your
instance. This lets Cloud Data Fusion access your resources.
Task
Permissions required
Create a Cloud Data Fusion instance
datafusion.instances.setIamPolicy
datafusion.instances.getIamPolicy
Get Dataproc clusters
dataproc.clusters.get
Create Cloud Storage bucket per Cloud Data Fusion instance
and upload files for Dataproc job execution
storage.buckets.get
storage.objects.get
storage.buckets.create
storage.objects.create
storage.objects.update
storage.buckets.delete
storage.objects.delete
Publish logs to Cloud Logging
logging.logEntries.create
Publish Cloud metrics to Cloud Monitoring
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
Create a Cloud Data Fusion instance with
VPC peering
compute.globalOperations.get
compute.networks.addPeering
compute.networks.removePeering
compute.networks.update
compute.networks.get
Create a Cloud Data Fusion instance with
DNS peering zone
between customer and tenant projects
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-21 UTC."],[[["This document outlines the necessary permissions for the Cloud Data Fusion Service Account when using custom roles to access resources, as opposed to the default highly permissive role."],["Custom roles allow you to grant specific permissions to the service account principal, tailoring access to only what is needed for designated tasks."],["Permissions required for tasks such as instance creation, Dataproc cluster access, Cloud Storage interaction, and publishing logs or metrics are detailed in the provided table."],["Additional configurations like VPC peering, DNS peering, and Private Service Connect each have their own specific permissions needed to create a Cloud Data Fusion instance."]]],[]]
