Permissões mínimas necessárias para a conta de serviço do Cloud Data Fusion
Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Este documento explica quais permissões conceder à conta de serviço do Cloud Data Fusion ao criar um papel personalizado que permite o acesso aos seus recursos.
.
Por padrão, o papel de agente de serviço da API Cloud Data Fusion (roles/datafusion.serviceAgent) de gerenciamento de identidade e acesso é atribuído à conta de serviço do Cloud Data Fusion. Esse papel é altamente permissivo.
Em vez disso, use papéis personalizados para fornecer apenas as permissões necessárias para o
principal da conta de serviço.
Permissões necessárias para a conta de serviço do Cloud Data Fusion
Ao criar um papel personalizado para a conta de serviço do Cloud Data Fusion,
conceda as permissões abaixo com base nas tarefas que você planeja realizar na
instância. Isso permite que o Cloud Data Fusion acesse seus recursos.
Tarefa
Permissões necessárias
crie uma instância do Cloud Data Fusion
datafusion.instances.setIamPolicy
datafusion.instances.getIamPolicy
Acessar clusters do Dataproc
dataproc.clusters.get
Crie um bucket do Cloud Storage por instância do Cloud Data Fusion e faça upload de arquivos para a execução de jobs do Dataproc
storage.buckets.get
storage.objects.get
storage.buckets.create
storage.objects.create
storage.objects.update
storage.buckets.delete
storage.objects.delete
Publicar registros no Cloud Logging
logging.logEntries.create
Publicar métricas do Cloud no Cloud Monitoring
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
Crie uma instância do Cloud Data Fusion com VPC peering.
compute.globalOperations.get
compute.networks.addPeering
compute.networks.removePeering
compute.networks.update
compute.networks.get
Criar uma instância do Cloud Data Fusion com uma zona de peering de DNS entre projetos de clientes e de locatário
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-12 UTC."],[[["\u003cp\u003eThis document outlines the necessary permissions for the Cloud Data Fusion Service Account when using custom roles to access resources, as opposed to the default highly permissive role.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles allow you to grant specific permissions to the service account principal, tailoring access to only what is needed for designated tasks.\u003c/p\u003e\n"],["\u003cp\u003ePermissions required for tasks such as instance creation, Dataproc cluster access, Cloud Storage interaction, and publishing logs or metrics are detailed in the provided table.\u003c/p\u003e\n"],["\u003cp\u003eAdditional configurations like VPC peering, DNS peering, and Private Service Connect each have their own specific permissions needed to create a Cloud Data Fusion instance.\u003c/p\u003e\n"]]],[],null,["# Minimum permissions required for the Cloud Data Fusion Service Account\n\nThis document explains which permissions to give to the\nCloud Data Fusion Service Account when you create a custom role that\nlets it access your resources.\n| **Note:** The principal name for the [Cloud Data Fusion Service Account](/data-fusion/docs/access-control#data-fusion-service-account) is `service-`\u003cvar translate=\"no\"\u003eCUSTOMER_PROJECT_NUMBER\u003c/var\u003e`@gcp-sa-datafusion.iam.gserviceaccount.com`\n\nBy default, the\n[Cloud Data Fusion API Service Agent](/iam/docs/understanding-roles#datafusion.serviceAgent)\n(`roles/datafusion.serviceAgent`) Identity and Access Management role is assigned to the\nCloud Data Fusion Service Account. This role is highly permissive.\nInstead, you can use custom roles to provide only the permissions that the\nservice account principal needs.\n\nFor more information about the Cloud Data Fusion service accounts, see\n[Service accounts in Cloud Data Fusion](/data-fusion/docs/concepts/service-accounts).\n\nFor more information about creating custom roles, see\n[Create a custom role](/iam/docs/creating-custom-roles#creating).\n\nRequired permissions for the Cloud Data Fusion Service Account\n--------------------------------------------------------------\n\nWhen you create a custom role for the Cloud Data Fusion Service Account,\ngive the following permissions based on the tasks you plan to perform in your\ninstance. This lets Cloud Data Fusion access your resources.\n\nWhat's next\n-----------\n\n- Learn more about [creating and managing custom roles](/iam/docs/creating-custom-roles).\n- Learn more about [access control options in Cloud Data Fusion](/data-fusion/docs/access-control)."]]
