A conta de serviço do data lake exige permissões de administrador nos buckets do Cloud Storage ou nos conjuntos de dados do BigQuery.
O Universal Catalog do Dataplex cria tabelas externas no BigQuery para tabelas descobertas no Cloud Storage. O Dataplex Universal Catalog também disponibiliza metadados tabela do BigQuery e tabelas descobertas no bucket do Cloud Storage em um serviço do metastore do Dataproc. O metastore do Dataproc está localizado no projeto do data lake.
Configurações e limitações do Cloud Storage
Região: o Dataplex Universal Catalog é compatível com buckets de região única e multirregião em algumas Google Cloud regiões.
Classe de armazenamento: buckets do Cloud Storage de todas as classes de armazenamento são compatíveis (Standard, Nearline, Coldline, Archive).
Acessar ou verificar dados do Nearline, Coldline ou Archive pode gerar custos adicionais de recuperação de dados.
ACL do bucket: o Dataplex Universal Catalog é compatível apenas com buckets do Cloud Storage com controles de acesso uniformes.
Não há suporte para controles de acesso refinado.
Pagamentos do solicitante: os buckets do Cloud Storage com o recurso Pagamentos do solicitante ativado não são compatíveis.
Orientações sobre segurança e permissões
O Dataplex Universal Catalog exige a adição das contas de serviço do Dataplex Universal Catalog como uma conta de serviço administrativa em buckets e conjuntos de dados gerenciados.
Com o Universal Catalog do Dataplex, os analistas podem acessar buckets do Cloud Storage e conjuntos de dados do BigQuery em vários projetos. Para ativar esse acesso, o Dataplex Universal Catalog exige a adição das contas de serviço do Dataplex Universal Catalog com controles administrativos a esses projetos.
Para a descoberta, o Dataplex Universal Catalog adiciona a conta de serviço do metastore do Dataproc aos buckets do Cloud Storage. Se você tiver seu próprio cluster do Dataproc Metastore, talvez queira que o lake do Universal Catalog do Dataplex use seu serviço do Dataproc Metastore, o que é uma opção ao criar o lake.
Se você adicionar um bucket do Cloud Storage com acesso refinado a um lake, o Dataplex Universal Catalog vai fornecer acesso total a esse bucket pelo lake, porque as permissões do Dataplex Universal Catalog são propagadas para todos os objetos no bucket. Se você precisar de acesso refinado, recomendamos dividir os dados do bucket em vários buckets.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-05 UTC."],[[["\u003cp\u003eDataplex lakes must reside within a project that shares the same VPC Service Controls perimeter as the data, and the lake service account needs admin permissions on the associated Cloud Storage buckets or BigQuery datasets.\u003c/p\u003e\n"],["\u003cp\u003eDataplex supports single region and multi-region Cloud Storage buckets of all storage classes, but only with uniform access controls and without the Requester Pays feature enabled.\u003c/p\u003e\n"],["\u003cp\u003eTo allow access to Cloud Storage buckets and BigQuery datasets across multiple projects, Dataplex service accounts require administrative controls on those projects.\u003c/p\u003e\n"],["\u003cp\u003eDataplex provides full access to any Cloud Storage bucket with fine-grained access added to a lake, recommending data be split into multiple buckets for fine-grained access needs.\u003c/p\u003e\n"],["\u003cp\u003eAvoid restricting VPC peering with organization policy constraints as it can cause errors with Dataproc Metastore.\u003c/p\u003e\n"]]],[],null,["# Best practices for Dataplex Universal Catalog\n\nThis document provides guidance and best practices for using\nDataplex Universal Catalog.\n\nChoose a project for your lake\n------------------------------\n\nWhen you select the project in which to host your lake, consider the following\nfactors:\n\n- The project must belong to the same\n [VPC Service Controls perimeter](/vpc-service-controls/docs/service-perimeters)\n as the data destined to be within the lake.\n\n- The lake service account requires administrator permissions on the\n Cloud Storage buckets or BigQuery datasets.\n Dataplex Universal Catalog creates external tables in BigQuery for\n tables discovered in Cloud Storage. Dataplex Universal Catalog also makes\n available BigQuery table metadata, and tables discovered in the\n Cloud Storage bucket, in a Dataproc Metastore service. The\n Dataproc Metastore is located within the data lake project.\n\nCloud Storage settings and limitations\n--------------------------------------\n\n- Region: Dataplex Universal Catalog supports single region and\n multi-region buckets in some [Google Cloud regions](/dataplex/docs/locations).\n\n- Storage class: Cloud Storage buckets of all\n [storage classes](/storage/docs/storage-classes) are supported\n (Standard, Nearline, Coldline, Archive).\n Additional data retrieval costs might incur for accessing or scanning\n Nearline, Coldline, or Archive data.\n\n- Bucket ACL: Dataplex Universal Catalog supports Cloud Storage buckets with\n [uniform access controls](/storage/docs/uniform-bucket-level-access) only.\n Fine-grained access controls aren't supported.\n\n- Requester Pays: Cloud Storage buckets with the\n [Requester Pays](/storage/docs/requester-pays) feature enabled aren't\n supported.\n\nSecurity and permissions guidance\n---------------------------------\n\nDataplex Universal Catalog requires adding the Dataplex Universal Catalog\n[service accounts](/dataplex/docs/iam-and-access-control#service-accounts)\nas an administrative service account on managed buckets and datasets.\n\nDataplex Universal Catalog enables analysts to access Cloud Storage buckets\nand BigQuery datasets across many projects. To enable this access,\nDataplex Universal Catalog requires adding the Dataplex Universal Catalog service\naccounts with administrative controls to these projects.\n\nFor Discovery, Dataplex Universal Catalog adds the\nDataproc Metastore service account to the Cloud Storage\nbuckets. If you have your own Dataproc Metastore cluster, you\nmight want to make the Dataplex Universal Catalog lake use your\nDataproc Metastore service, which is an option when you create\nyour lake.\n| **Note:** Don't set the [organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints) to restrict VPC peering. If you specify `constraints/compute.restrictVpcPeering`, your Dataproc Metastore creation request fails with an `INVALID_ARGUMENT` error.\n\nIf you choose to add a Cloud Storage bucket with\n[fine-grained](/storage/docs/access-control) access to a lake,\nDataplex Universal Catalog will provide full access to that bucket through the lake\nbecause Dataplex Universal Catalog permissions are propagated to all objects in the\nbucket. If you require fine-grained access, it's recommended that you split\nthe data in your bucket into multiple buckets.\n\nWhat's next\n-----------\n\n- [Build a data mesh](/dataplex/docs/build-a-data-mesh)\n- [Create a lake](/dataplex/docs/create-lake)\n- [Secure your lake](/dataplex/docs/lake-security)"]]
