Grant basic Dataproc Metastore IAM roles to users

This page describes how to grant a Google Cloud user account or service account access to basic Dataproc Metastore resources in a project. These roles described on this page provide access to create a Dataproc Metastore service.

Depending on the scope of control you want the account to have, you grant it one of these predefined IAM roles:

  • roles/metastore.editor to grant full control of Dataproc Metastore resources
  • roles/metastore.admin to grant full control of Dataproc Metastore resources, including updating IAM permissions.

For detailed information about the specific IAM permissions these roles provide, see Dataproc Metastore IAM roles.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Dataproc Metastore API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Dataproc Metastore API.

    Enable the API

    8.

Required Roles

You must have the roles/owner (Owner) basic IAM role in the Google Cloud project you are using, or a role that grants these permissions:

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

To gain these permissions while following the principle of least privilege, ask your administrator to grant you the roles/resourcemanager.projectIamAdmin (Project IAM Admin) role.

How to grant access roles

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Run the following add-iam-policy-binding command to grant a Dataproc Metastore predefined role to an IAM principal (user account or service account).

  gcloud projects add-iam-policy-binding PROJECT_ID \
     --member=PRINCIPAL \
     --role=METASTORE_ROLE

Replace the following:

  • PROJECT_ID: The ID of the project you want to enable Metastore access to.
  • PRINCIPAL: The type and email ID (email address) of the principal.
    • For user accounts: user:EMAIL_ID
    • For service accounts: serviceAccount:EMAIL_ID
    • For Google Groups: group:EMAIL_ID
  • METASTORE_ROLE: One of the following values, depending on the role you want to grant the principal: roles/metastore.editor, or roles/metastore.admin. For details about the permissions these roles grant, see Dataproc Metastore IAM roles.