Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to grant a Google Cloud user account or service
account access to basic Dataproc Metastore resources in a project. These roles described on this page provide access to create a Dataproc Metastore service.
Depending on the scope of control you want the account to have, you grant it one of these predefined IAM roles:
roles/metastore.editor to grant full control of Dataproc Metastore resources
roles/metastore.admin to grant full control of Dataproc Metastore resources, including updating IAM permissions.
For detailed information about the specific IAM permissions these roles provide, see Dataproc Metastore IAM roles.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
You must have the roles/owner (Owner) basic IAM role in the
Google Cloud project you are using, or a role that grants these permissions:
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
To gain these permissions while following the principle of least privilege,
ask your administrator to grant you the roles/resourcemanager.projectIamAdmin (Project IAM Admin)
role.
PROJECT_ID: The ID of the project you want to enable Metastore access to.
PRINCIPAL: The type and email ID (email address) of the principal.
For user accounts: user:EMAIL_ID
For service accounts: serviceAccount:EMAIL_ID
For Google Groups: group:EMAIL_ID
METASTORE_ROLE: One of the following values, depending on the role you want to grant the principal: roles/metastore.editor, or roles/metastore.admin. For details about the permissions these roles grant, see Dataproc Metastore IAM roles.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis guide details how to grant Google Cloud user or service accounts access to Dataproc Metastore resources in a project.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eroles/metastore.editor\u003c/code\u003e role grants full control over Dataproc Metastore resources, while \u003ccode\u003eroles/metastore.admin\u003c/code\u003e provides full control and the ability to update IAM permissions.\u003c/p\u003e\n"],["\u003cp\u003eYou must have the \u003ccode\u003eroles/owner\u003c/code\u003e IAM role or the required permissions (\u003ccode\u003eresourcemanager.projects.get\u003c/code\u003e, \u003ccode\u003eresourcemanager.projects.getIamPolicy\u003c/code\u003e, \u003ccode\u003eresourcemanager.projects.setIamPolicy\u003c/code\u003e) to grant access roles.\u003c/p\u003e\n"],["\u003cp\u003eThe gcloud CLI's \u003ccode\u003eadd-iam-policy-binding\u003c/code\u003e command is used to grant a predefined Dataproc Metastore role to an IAM principal by specifying the project ID, principal, and desired role.\u003c/p\u003e\n"],["\u003cp\u003eOther actions with the metastore may require additional roles not detailed here, and information on those can be found in the respective feature guides.\u003c/p\u003e\n"]]],[],null,[]]