IAM으로 Dataform에 대한 액세스 제어
컬렉션을 사용해 정리하기 내 환경설정을 기준으로 콘텐츠를 저장하고 분류하세요.

이 문서에서는 Dataform의 액세스 제어 옵션을 설명하고 Dataform 역할을 보고 부여하는 방법을 보여줍니다. Dataform은 Identity and Access Management(IAM)를 사용하여 액세스를 제어합니다. IAM의 역할 및 권한에 대한 자세한 내용은 역할 및 권한 이해를 참고하세요.

사전 정의된 Dataform 역할

다음 표에는 Dataform 리소스에 대한 액세스 권한을 부여하는 사전 정의된 역할이 나와 있습니다.

Role Permissions

Role	Permissions
Dataform Admin (`roles/dataform.admin`) Full access to all Dataform resources.	`dataform.*` `dataform.commentThreads.create` `dataform.commentThreads.delete` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.commentThreads.update` `dataform.comments.create` `dataform.comments.delete` `dataform.comments.get` `dataform.comments.list` `dataform.comments.update` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.config.update` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.create` `dataform.releaseConfigs.delete` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.releaseConfigs.update` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.delete` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.repositories.setIamPolicy` `dataform.repositories.update` `dataform.workflowConfigs.create` `dataform.workflowConfigs.delete` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowConfigs.update` `dataform.workflowInvocations.cancel` `dataform.workflowInvocations.create` `dataform.workflowInvocations.delete` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.setIamPolicy` `dataform.workspaces.writeFile` `resourcemanager.projects.get` `resourcemanager.projects.list`
Code Commenter ^Beta (`roles/dataform.codeCommenter`) Permissions to comment, at the repository level. Grants CRUD access over commentThread and comment resources.	`dataform.commentThreads.` `dataform.commentThreads.create` `dataform.commentThreads.delete` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.commentThreads.update` `dataform.comments.` `dataform.comments.create` `dataform.comments.delete` `dataform.comments.get` `dataform.comments.list` `dataform.comments.update`
Code Creator (`roles/dataform.codeCreator`) Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.	`dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.comments.get` `dataform.comments.list` `dataform.locations.*` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Code Editor (`roles/dataform.codeEditor`) Edit access code resources.	`dataform.commentThreads.` `dataform.commentThreads.create` `dataform.commentThreads.delete` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.commentThreads.update` `dataform.comments.` `dataform.comments.create` `dataform.comments.delete` `dataform.comments.get` `dataform.comments.list` `dataform.comments.update` `dataform.compilationResults.` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.writeFile` `resourcemanager.projects.get` `resourcemanager.projects.list`
Code Owner (`roles/dataform.codeOwner`) Full access to code resources.	`dataform.commentThreads.` `dataform.commentThreads.create` `dataform.commentThreads.delete` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.commentThreads.update` `dataform.comments.` `dataform.comments.create` `dataform.comments.delete` `dataform.comments.get` `dataform.comments.list` `dataform.comments.update` `dataform.compilationResults.` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.delete` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.repositories.setIamPolicy` `dataform.repositories.update` `dataform.workspaces.` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.setIamPolicy` `dataform.workspaces.writeFile` `resourcemanager.projects.get` `resourcemanager.projects.list`
Code Viewer (`roles/dataform.codeViewer`) Read-only access to all code resources.	`dataform.compilationResults.` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.list` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.searchFiles` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataform Editor (`roles/dataform.editor`) Edit access to Workspaces and Read-only access to Repositories.	`dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.comments.get` `dataform.comments.list` `dataform.compilationResults.` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowInvocations.*` `dataform.workflowInvocations.cancel` `dataform.workflowInvocations.create` `dataform.workflowInvocations.delete` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.writeFile` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataform Service Agent (`roles/dataform.serviceAgent`) Gives permission for the Dataform API to access a secret from Secret Manager Warning: Do not grant service agent roles to any principals except service agents.	`dataform.compilationResults.create` `dataform.workflowInvocations.create` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataform Viewer (`roles/dataform.viewer`) Read-only access to all Dataform resources.	`dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.comments.get` `dataform.comments.list` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.locations.*` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.list` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.searchFiles` `resourcemanager.projects.get` `resourcemanager.projects.list`

Dataform Admin

(roles/dataform.admin)

Full access to all Dataform resources.

dataform.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update
dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update
dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.config.get
dataform.config.update
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Code Commenter ^Beta

(roles/dataform.codeCommenter)

Permissions to comment, at the repository level. Grants CRUD access over commentThread and comment resources.

dataform.commentThreads.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update

dataform.comments.*

dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update

Code Creator

(roles/dataform.codeCreator)

Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.

dataform.commentThreads.get

dataform.commentThreads.list

dataform.comments.get

dataform.comments.list

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Code Editor

(roles/dataform.codeEditor)

Edit access code resources.

dataform.commentThreads.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update

dataform.comments.*

dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update

dataform.compilationResults.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.commit

dataform.repositories.computeAccessTokenStatus

dataform.repositories.create

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.searchFiles

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Code Owner

(roles/dataform.codeOwner)

Full access to code resources.

dataform.commentThreads.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update

dataform.comments.*

dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update

dataform.compilationResults.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.*

dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update

dataform.workspaces.*

dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Code Viewer

(roles/dataform.codeViewer)

Read-only access to all code resources.

dataform.compilationResults.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.searchFiles

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Editor

(roles/dataform.editor)

Edit access to Workspaces and Read-only access to Repositories.

dataform.commentThreads.get

dataform.commentThreads.list

dataform.comments.get

dataform.comments.list

dataform.compilationResults.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query

dataform.config.get

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.*

dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.searchFiles

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Service Agent

(roles/dataform.serviceAgent)

Gives permission for the Dataform API to access a secret from Secret Manager

dataform.compilationResults.create

dataform.workflowInvocations.create

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Viewer

(roles/dataform.viewer)

Read-only access to all Dataform resources.

dataform.commentThreads.get

dataform.commentThreads.list

dataform.comments.get

dataform.comments.list

dataform.compilationResults.get

dataform.compilationResults.list

dataform.compilationResults.query

dataform.config.get

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.get

dataform.workflowInvocations.list

dataform.workflowInvocations.query

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.searchFiles

resourcemanager.projects.get

resourcemanager.projects.list

커스텀 Dataform 역할

커스텀 역할에는 사용자가 지정하는 모든 권한이 포함될 수 있습니다. 개발 작업공간 만들기 또는 개발 작업공간 내에서 파일 및 디렉터리 만들기와 같은 특정 관리 작업을 수행할 수 있는 권한이 포함된 커스텀 역할을 만들 수 있습니다. 커스텀 역할을 만들려면 커스텀 역할 만들기 및 관리를 참조하세요.

Dataform 권한의 보안 고려사항

dataform.repositories.create 권한이 있는 사용자는 기본 Dataform 서비스 계정 및 서비스 계정에 부여된 모든 권한을 사용해서 BigQuery에서 코드를 실행할 수 있습니다. 여기에는 Dataform SQL 워크플로 실행이 포함됩니다.

dataform.repositories.create 권한은 다음 IAM 역할에 포함됩니다.

서비스 계정이 BigQuery에서 읽거나 쓸 수 있는 데이터를 제한하려면 선택한 BigQuery 데이터 세트 또는 테이블에 대한 세분화된 BigQuery IAM 권한을 부여하면 됩니다. 자세한 내용은 데이터 세트 액세스 제어 및 테이블 및 뷰 액세스 제어를 참조하세요.

기본 Dataform 서비스 계정 및 여기에 필요한 역할과 권한에 대한 자세한 내용은 Dataform에 필요한 액세스 권한 부여를 참조하세요.

시작하기 전에

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the BigQuery and Dataform APIs.

Enable the APIs

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the BigQuery and Dataform APIs.

Enable the APIs

Dataform 역할 보기

Google Cloud 콘솔에서 다음 단계를 수행합니다.

IAM 및 관리자 > 역할 페이지로 이동합니다.

역할로 이동
필터 필드에서 사용 그룹을 선택하고 Dataform을 입력한 다음 Enter 키를 누릅니다.
나열된 역할 중 하나를 클릭하면 오른쪽 창에 역할 권한이 표시됩니다.

예를 들어 Dataform 관리자 역할에는 모든 Dataform 리소스에 대해 전체 액세스 권한이 포함됩니다.

프로젝트에 역할을 부여하는 방법에 대한 자세한 내용은 역할 부여를 참고하세요. 이렇게 하면 사전 정의된 역할 또는 커스텀 역할을 부여할 수 있습니다.

개별 저장소에 대한 액세스 제어

세부적인 권한으로 Dataform에 대한 액세스를 제어하려면 Dataform API repositories.setIamPolicy 요청을 사용하여 개별 저장소에 Dataform IAM 역할을 설정할 수 있습니다.

개별 Dataform 저장소에 Dataform IAM 역할을 설정하려면 다음 단계를 따르세요.

터미널에서 액세스 정책과 함께 Dataform API repositories.setIamPolicy 요청을 전달합니다.
정책에서 다음 형식으로 선택한 역할에 사용자, 그룹, 도메인 또는 서비스 계정을 바인딩합니다.
```
{
"policy":
   {
      "bindings": [
      {
         "role": "roles/ROLE",
         "members": [
            "TYPE:IDENTIFIER",
         ]
      },
      ],
   }
}
```
다음을 바꿉니다.
- ROLE: 저장소에 부여할 Dataform IAM 역할
- TYPE: user, group, domain, 또는 serviceAccount
- IDENTIFIER: 역할을 부여할 사용자, 그룹, 도메인 또는 서비스 계정
IAM 페이지에서 모든 사용자가 dataform.repositories.list 권한이 있는 Dataform 역할을 통해 Dataform 저장소의 전체 목록을 볼 수 있는지 확인합니다.
IAM에서 모든 Dataform 저장소에 대한 전체 액세스 권한이 필요한 사용자에게만 모든 저장소에 대한 Dataform 관리자 역할이 부여되었는지 확인하세요.

다음 명령어는 sales 저장소의 Dataform 편집자 역할을 부여하는 repositories.setIamPolicy Dataform API 요청을 단일 사용자에게 전달합니다.

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.editor", "members": ["user:sasha@examplepetstore.com"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

저장소에 대한 공개 액세스 권한 부여

allAuthenticatedUsers 주 구성원에게 저장소의 IAM 역할을 부여하여 Dataform 저장소에 대한 공개 액세스 권한을 부여할 수 있습니다.

allAuthenticatedUsers 주 구성원에게 IAM 역할을 할당하면 서비스 계정과 Google 계정으로 인증된 인터넷의 모든 사용자에게 해당 역할이 부여됩니다. 여기에는 개인 Gmail 계정과 같이 Google Workspace 계정이나 Cloud ID 도메인에 연결되지 않은 계정이 포함됩니다. 익명 방문자와 같은 인증되지 않은 사용자는 포함되지 않습니다. 자세한 내용은 인증된 모든 사용자를 참조하세요.

예를 들어 sales 저장소의 allAuthenticatedUsers에 Dataform 뷰어 역할을 부여하면 Google 계정으로 인증된 모든 서비스 계정 및 인터넷 사용자는 모든 sales 코드 리소스에 대해 읽기 전용 액세스 권한만 갖습니다.

Dataform 저장소에 대해 공개 액세스 권한을 부여하려면 다음 단계를 수행합니다.

터미널에서 액세스 정책과 함께 Dataform API repositories.setIamPolicy 요청을 전달합니다.
정책에서 allAuthenticatedUsers 주 구성원을 선택한 역할에 다음 형식으로 바인딩합니다.
```
{
"policy":
   {
      "bindings": [
      {
         "role": "roles/ROLE",
         "members": [
            "allAuthenticatedUsers",
         ]
      },
      ],
   }
}
```
다음을 바꿉니다.
- ROLE: 인증된 모든 사용자에게 부여하려는 Dataform IAM 역할

다음 명령어는 sales 저장소에 대한 Dataform 뷰어 역할을 부여하는 repositories.setIamPolicy Dataform API 요청을 allAuthenticatedUsers에 전달합니다.

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.viewer", "members": ["allAuthenticatedUsers"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

저장소에 대한 공개 액세스 방지

Dataform 저장소에 대한 공개 액세스 권한이 부여되지 않도록 하려면 프로젝트에서 allAuthenticatedUsers 주 구성원을 제한하면 됩니다.

프로젝트에서 allAuthenticatedUsers를 제한하려면 iam.allowedPolicyMemberDomains 정책을 설정하고 allowed_values 목록에서 allAuthenticatedUsers를 삭제하면 됩니다.

iam.allowedPolicyMemberDomains 정책에서 allAuthenticatedUsers를 제한하면 프로젝트의 모든 IAM 정책에서 allAuthenticatedUsers 주 구성원을 사용할 수 없으므로 Dataform 저장소를 비롯한 모든 리소스에 대한 공개 액세스 권한이 부여되지 않습니다.

iam.allowedPolicyMemberDomains 정책에 관한 자세한 내용과 설정 안내는 도메인별 ID 제한을 참고하세요.

Dataform의 직원 ID 제휴

직원 ID 제휴를 사용하면 외부 ID 공급업체(IdP)를 통해 IAM으로 Google Cloud 서비스에 대해 사용자를 인증 및 승인할 수 있습니다.

Dataform은 알려진 제한사항 없이 직원 ID 제휴를 지원합니다.

다음 단계

IAM에 대한 자세한 내용은 IAM 개요 참조하기
역할 및 권한에 대한 자세한 내용은 역할 이해 참조하기
리소스 액세스 관리에 대한 자세한 내용은 프로젝트, 폴더, 조직 액세스 관리 참조하기
Dataform의 테이블에 BigQuery 역할을 부여하는 방법은 IAM으로 개별 테이블에 대한 액세스 제어 참조하기
직원 ID 제휴의 주요 개념에 대한 자세한 내용은 직원 ID 제휴를 참조하기

IAM으로 Dataform에 대한 액세스 제어 컬렉션을 사용해 정리하기 내 환경설정을 기준으로 콘텐츠를 저장하고 분류하세요.

사전 정의된 Dataform 역할

Dataform Admin

Code Commenter Beta

Code Creator

Code Editor

Code Owner

Code Viewer

Dataform Editor

Dataform Service Agent

Dataform Viewer

커스텀 Dataform 역할

Dataform 권한의 보안 고려사항

시작하기 전에

Dataform 역할 보기

개별 저장소에 대한 액세스 제어

저장소에 대한 공개 액세스 권한 부여

저장소에 대한 공개 액세스 방지

Dataform의 직원 ID 제휴

다음 단계

IAM으로 Dataform에 대한 액세스 제어
컬렉션을 사용해 정리하기 내 환경설정을 기준으로 콘텐츠를 저장하고 분류하세요.

Code Commenter ^Beta