Apache Spark용 서버리스 권한 및 IAM 역할

Identity and Access Management (IAM)를 사용하면 프로젝트 리소스에 대한 액세스를 제어할 수 있습니다. 이 문서에서는 Apache Spark용 서버리스와 관련된 IAM 권한과 해당 권한이 부여된 IAM 역할 에 대해 집중적으로 다룹니다.

Apache Spark용 서버리스의 Dataproc 권한

Dataproc 권한을 사용하면 사용자와 서비스 계정, Apache Spark용 서버리스 리소스에서 작업을 수행할 수 있습니다. 예를 들어 dataproc.batches.create 권한을 사용하면 프로젝트에서 일괄 작업 워크로드를 만들 수 있습니다.

사용자에게 권한을 직접 부여하는 대신 하나 이상의 권한이 번들로 포함된 IAM 역할을 부여합니다. 권한 목록이 포함된 사전 정의된 역할을 부여하거나 커스텀 역할에 포함할 하나 이상의 권한이 포함된 커스텀 역할을 만들고 부여할 수 있습니다.

다음 표에는 Apache Spark용 서버리스 리소스를 만들거나 액세스하는 Dataproc API (메서드)를 호출하는 데 필요한 기본 권한이 나와 있습니다. 표는 각 Apache Spark용 서버리스 리소스와 연결된 API에 따라 구성됩니다. 여기에는 batches, sessions, sessionTemplates, operations가 포함됩니다.

예:

dataproc.batches.create는 포함된 프로젝트에서 배치를 만들도록 허용합니다.
dataproc.sessions.create는 포함된 프로젝트에서 대화형 세션을 만들도록 허용합니다.

배치 권한

메서드	필수 권한
projects.locations.batches.create	dataproc.batches.create ¹
projects.locations.batches.delete	dataproc.batches.delete
projects.locations.batches.get	dataproc.batches.get
projects.locations.batches.list	dataproc.batches.list

¹ dataproc.batches.create는 또한 dataproc.batches.get 및 dataproc.operations.get 권한이 gcloud 명령줄 도구에서 상태 업데이트를 가져오도록 허용하기 위해 필요합니다.

세션 권한

메서드	필수 권한
projects.locations.sessions.create	dataproc.sessions.create ¹
projects.locations.sessions.delete	dataproc.sessions.delete
projects.locations.sessions.get	dataproc.sessions.get
projects.locations.sessions.list	dataproc.sessions.list
projects.locations.sessions.terminate	dataproc.sessions.terminate

¹ dataproc.sessions.create에는 또한 dataproc.sessions.get 및 dataproc.operations.get 권한이 필요하여 gcloud 명령줄 도구에서 상태 업데이트를 가져올 수 있습니다.

세션 템플릿 권한

메서드	필수 권한
projects.locations.sessionTemplates.create	dataproc.sessionTemplates.create ¹
projects.locations.sessionTemplates.delete	dataproc.sessionTemplates.delete
projects.locations.sessionTemplates.get	dataproc.sessionTemplates.get
projects.locations.sessionTemplates.list	dataproc.sessionTemplates.list
projects.locations.sessionTemplates.update	dataproc.sessionTemplates.update

¹ dataproc.sessionTemplates.create는 또한 dataproc.sessionTemplates.get 및 dataproc.operations.get 권한이 필요합니다. 이를 통해 gcloud 명령줄 도구에서 상태 업데이트를 가져올 수 있습니다.

작업 권한

메서드	필수 권한
projects.regions.operations.get	dataproc.operations.get
projects.regions.operations.list	dataproc.operations.list
projects.regions.operations.cancel ¹	dataproc.operations.cancel
projects.regions.operations.delete	dataproc.operations.delete
projects.regions.operations.getIamPolicy	dataproc.operations.getIamPolicy
projects.regions.operations.setIamPolicy	dataproc.operations.setIamPolicy

¹ 배치 작업을 취소하려면 dataproc.operations.cancel 권한도 필요합니다.dataproc.batches.cancel

Apache Spark용 서버리스 3.0+ 런타임 권한

다음 권한은 Apache Spark용 서버리스 3.0 및 이상 런타임에 적용됩니다.

워크로드 권한

메서드	필수 권한
dataprocrm.v1.dataprocrm.projects.locations.workloads.create	dataprocrm.workloads.create
dataprocrm.v1.dataprocrm.projects.locations.workloads.cancel	dataprocrm.workloads.cancel
dataprocrm.v1.dataprocrm.projects.locations.workloads.delete	dataprocrm.workloads.delete
dataprocrm.v1.dataprocrm.projects.locations.workloads.get	dataprocrm.workloads.get
dataprocrm.v1.dataprocrm.projects.locations.workloads.list	dataprocrm.workloads.list
dataprocrm.v1.dataprocrm.projects.locations.workloads.use	dataprocrm.workloads.use

NodePools 권한

메서드	필수 권한
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.create	dataprocrm.nodePools.create
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.delete	dataprocrm.nodePools.delete
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.resize	dataprocrm.nodePools.resize
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.deleteNodes	dataprocrm.nodePools.deleteNodes
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.update	dataprocrm.nodePools.update
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.get	dataprocrm.nodePools.get
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.list	dataprocrm.nodePools.list

노드 권한

메서드	필수 권한
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.create	dataprocrm.nodes.create
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.delete	dataprocrm.nodes.delete
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.update	dataprocrm.nodes.update
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.heartbeat	dataprocrm.nodes.heartbeat
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.get	dataprocrm.nodes.get
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.list	dataprocrm.nodes.list
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.mintOAuthToken	dataprocrm.nodes.mintOAuthToken

작업 권한

메서드	필수 권한
dataprocrm.v1.dataprocrm.projects.locations.operations.get	dataprocrm.operations.get
dataprocrm.v1.dataprocrm.projects.locations.operations.list	dataprocrm.operations.list

Apache Spark용 서버리스 역할 요구사항

다음 표에는 일괄 작업 워크로드 및 세션을 관리하는 데 필요한 권한이 포함된 역할이 나와 있습니다. 요구사항은 일괄 작업 또는 세션 런타임 버전 과 일괄 작업 또는 세션이 서비스 계정 또는 최종 사용자 사용자 인증 정보 (EUC)로 실행되는지 여부에 따라 다를 수 있습니다.

런타임 버전 IAM 역할

런타임 버전	IAM 역할
pre-`3.0`	사용자에게 다음 역할을 부여합니다: 일괄 작업 또는 세션을 실행하는 Dataproc 편집자 역할 또는 일괄 작업 및 세션을 가져오고 나열하는 Dataproc 뷰어 역할 서비스 계정 사용자 역할(Compute Engine 기본 서비스 계정 또는 커스텀 서비스 계정) Compute Engine 기본 서비스 계정 또는 커스텀 서비스 계정에 Dataproc 작업자 역할을 부여합니다.
`3.0`+	사용자에게 다음 역할을 부여합니다: Dataproc 서버리스 편집자 역할(일괄 작업 및 세션 제출) 또는 Dataproc 서버리스 뷰어 역할(일괄 작업 및 세션 가져오기 및 나열) 기본 `3.0`+ 런타임 최종 사용자 사용자 인증 정보 (EUC)를 수락하는 대신 서비스 계정 사용자 인증 정보를 선택하는 경우 사용자 지정 커스텀 서비스 계정에 서비스 계정 사용자 역할을 부여하고 사용자 지정 커스텀 서비스 계정에 Dataproc 서버리스 노드 역할을 부여합니다. .

pre-3.0

사용자에게 다음 역할을 부여합니다:

일괄 작업 또는 세션을 실행하는 Dataproc 편집자 역할 또는 일괄 작업 및 세션을 가져오고 나열하는 Dataproc 뷰어 역할
서비스 계정 사용자 역할(Compute Engine 기본 서비스 계정 또는 커스텀 서비스 계정)

Compute Engine 기본 서비스 계정 또는 커스텀 서비스 계정에 Dataproc 작업자 역할을 부여합니다.

3.0+

사용자에게 다음 역할을 부여합니다:

Dataproc 서버리스 편집자 역할(일괄 작업 및 세션 제출) 또는 Dataproc 서버리스 뷰어 역할(일괄 작업 및 세션 가져오기 및 나열)
기본 3.0+ 런타임 최종 사용자 사용자 인증 정보 (EUC)를 수락하는 대신 서비스 계정 사용자 인증 정보를 선택하는 경우 사용자 지정 커스텀 서비스 계정에 서비스 계정 사용자 역할을 부여하고 사용자 지정 커스텀 서비스 계정에 Dataproc 서버리스 노드 역할을 부여합니다.

참고:

3.0+ 런타임 및 최종 사용자 사용자 인증 정보 (3.0+ 기본값)로 일괄 작업 워크로드 또는 대화형 세션을 만들 때 데이터 영역 시스템 작업은 Dataproc 리소스 관리자 노드 서비스 에이전트에서 실행됩니다. 자세한 내용은 3.0+ 런타임 서비스 에이전트 서비스 계정을 참조하세요.
이전 버전과의 호환성을 위해 레거시 Dataproc 편집자 및 Dataproc 뷰어 역할 대신 Dataproc 서버리스 편집자 및 Dataproc 서버리스 뷰어 역할을 3.0+ 런타임으로 부여할 수 있습니다. 또한 Dataproc 서버리스 노드 역할 대신 Dataproc 작업자 역할을 부여할 수 있습니다.
서비스 계정에 프로젝트 편집자 역할이 부여된 경우 **Dataproc 작업자** 역할에 포함된 권한이 포함됩니다.
자세한 내용은 Apache Spark용 서버리스 서비스 계정을 참조하세요.

역할을 부여해야 하나요?

조직 정책에 따라 필요한 역할이 이미 부여되었을 수 있습니다.

사용자에게 부여된 역할 확인

사용자에게 역할이 부여되었는지 확인하려면 프로젝트, 폴더, 조직에 대한 액세스 관리 > 현재 액세스 보기에 있는 안내를 따르세요.

서비스 계정에 부여된 역할 확인

서비스 계정에 역할이 부여되었는지 확인하려면 IAM 서비스 계정 역할 보기 및 관리를 참조하세요.

서비스 계정에 부여된 역할 확인

사용자에게 서비스 계정에 대한 역할이 부여되었는지 확인하려면 다음 안내를 따르세요. 서비스 계정에 대한 액세스 관리 > 현재 액세스 보기

Dataproc 역할 및 권한 조회

다음 섹션을 사용하여 Dataproc 역할 및 권한을 조회할 수 있습니다.

Role Permissions

Role	Permissions
Dataproc Administrator (`roles/dataproc.admin`) Full control of Dataproc resources.	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.setIamPolicy` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.getIamPolicy` `dataproc.operations.list` `dataproc.operations.setIamPolicy` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.getIamPolicy` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.setIamPolicy` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Editor (`roles/dataproc.editor`) Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role: Cluster	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Hub Agent (`roles/dataproc.hubAgent`) Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.	`compute.instances.get` `compute.instances.setMetadata` `compute.instances.setTags` `compute.zoneOperations.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.use` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.create` `logging.logEntries.list` `logging.logEntries.route` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logScopes.get` `logging.logScopes.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.objects.get` `storage.objects.list`
Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) Permissions needed to run serverless sessions and batches as a user	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Serverless Node. (`roles/dataproc.serverlessNode`) Node access to Dataproc Serverless sessions and batches. Intended for service accounts.	`dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataprocrm.nodePools.*` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.list`
Dataproc Serverless Viewer (`roles/dataproc.serverlessViewer`) Permissions needed to view serverless sessions and batches	`compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.get` `dataproc.batches.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Service Agent (`roles/dataproc.serviceAgent`) Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts. Warning: Do not grant service agent roles to any principals except service agents.	`backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.locations.list` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `compute.acceleratorTypes.` `compute.acceleratorTypes.get` `compute.acceleratorTypes.list` `compute.addresses.createInternal` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.list` `compute.addresses.listEffectiveTags` `compute.addresses.listTagBindings` `compute.addresses.use` `compute.addresses.useInternal` `compute.autoscalers.` `compute.autoscalers.create` `compute.autoscalers.delete` `compute.autoscalers.get` `compute.autoscalers.list` `compute.autoscalers.update` `compute.diskSettings.get` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.startAsyncReplication` `compute.disks.stopAsyncReplication` `compute.disks.stopGroupAsyncReplication` `compute.disks.update` `compute.disks.updateKmsKey` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.get` `compute.firewalls.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.listEffectiveTags` `compute.globalAddresses.listTagBindings` `compute.globalAddresses.use` `compute.globalNetworkEndpointGroups.` `compute.globalNetworkEndpointGroups.attachNetworkEndpoints` `compute.globalNetworkEndpointGroups.create` `compute.globalNetworkEndpointGroups.createTagBinding` `compute.globalNetworkEndpointGroups.delete` `compute.globalNetworkEndpointGroups.deleteTagBinding` `compute.globalNetworkEndpointGroups.detachNetworkEndpoints` `compute.globalNetworkEndpointGroups.get` `compute.globalNetworkEndpointGroups.list` `compute.globalNetworkEndpointGroups.listEffectiveTags` `compute.globalNetworkEndpointGroups.listTagBindings` `compute.globalNetworkEndpointGroups.use` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `compute.instanceGroupManagers.` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.createTagBinding` `compute.instanceGroupManagers.delete` `compute.instanceGroupManagers.deleteTagBinding` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroupManagers.listEffectiveTags` `compute.instanceGroupManagers.listTagBindings` `compute.instanceGroupManagers.update` `compute.instanceGroupManagers.use` `compute.instanceGroups.` `compute.instanceGroups.create` `compute.instanceGroups.createTagBinding` `compute.instanceGroups.delete` `compute.instanceGroups.deleteTagBinding` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceGroups.listEffectiveTags` `compute.instanceGroups.listTagBindings` `compute.instanceGroups.update` `compute.instanceGroups.use` `compute.instanceSettings.get` `compute.instanceTemplates.` `compute.instanceTemplates.create` `compute.instanceTemplates.delete` `compute.instanceTemplates.get` `compute.instanceTemplates.getIamPolicy` `compute.instanceTemplates.list` `compute.instanceTemplates.setIamPolicy` `compute.instanceTemplates.useReadOnly` `compute.instances.` `compute.instances.addAccessConfig` `compute.instances.addNetworkInterface` `compute.instances.addResourcePolicies` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.deleteAccessConfig` `compute.instances.deleteNetworkInterface` `compute.instances.deleteTagBinding` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.getEffectiveFirewalls` `compute.instances.getGuestAttributes` `compute.instances.getIamPolicy` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.getShieldedInstanceIdentity` `compute.instances.getShieldedVmIdentity` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.listReferrers` `compute.instances.listTagBindings` `compute.instances.osAdminLogin` `compute.instances.osLogin` `compute.instances.pscInterfaceCreate` `compute.instances.removeResourcePolicies` `compute.instances.reset` `compute.instances.resume` `compute.instances.sendDiagnosticInterrupt` `compute.instances.setDeletionProtection` `compute.instances.setDiskAutoDelete` `compute.instances.setIamPolicy` `compute.instances.setLabels` `compute.instances.setMachineResources` `compute.instances.setMachineType` `compute.instances.setMetadata` `compute.instances.setMinCpuPlatform` `compute.instances.setName` `compute.instances.setScheduling` `compute.instances.setSecurityPolicy` `compute.instances.setServiceAccount` `compute.instances.setShieldedInstanceIntegrityPolicy` `compute.instances.setShieldedVmIntegrityPolicy` `compute.instances.setTags` `compute.instances.simulateMaintenanceEvent` `compute.instances.start` `compute.instances.startWithEncryptionKey` `compute.instances.stop` `compute.instances.suspend` `compute.instances.update` `compute.instances.updateAccessConfig` `compute.instances.updateDisplayDevice` `compute.instances.updateNetworkInterface` `compute.instances.updateSecurity` `compute.instances.updateShieldedInstanceConfig` `compute.instances.updateShieldedVmConfig` `compute.instances.use` `compute.instances.useReadOnly` `compute.licenses.get` `compute.licenses.list` `compute.licenses.listEffectiveTags` `compute.licenses.listTagBindings` `compute.machineImages.` `compute.machineImages.create` `compute.machineImages.createTagBinding` `compute.machineImages.delete` `compute.machineImages.deleteTagBinding` `compute.machineImages.get` `compute.machineImages.getIamPolicy` `compute.machineImages.list` `compute.machineImages.listEffectiveTags` `compute.machineImages.listTagBindings` `compute.machineImages.setIamPolicy` `compute.machineImages.setLabels` `compute.machineImages.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.multiMig.` `compute.multiMig.create` `compute.multiMig.delete` `compute.multiMig.get` `compute.multiMig.list` `compute.networkEndpointGroups.` `compute.networkEndpointGroups.attachNetworkEndpoints` `compute.networkEndpointGroups.create` `compute.networkEndpointGroups.createTagBinding` `compute.networkEndpointGroups.delete` `compute.networkEndpointGroups.deleteTagBinding` `compute.networkEndpointGroups.detachNetworkEndpoints` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networkEndpointGroups.listEffectiveTags` `compute.networkEndpointGroups.listTagBindings` `compute.networkEndpointGroups.use` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listEffectiveTags` `compute.networks.listTagBindings` `compute.networks.setFirewallPolicy` `compute.networks.use` `compute.networks.useExternalIp` `compute.nodeGroups.get` `compute.nodeTypes.get` `compute.projects.get` `compute.regionFirewallPolicies.create` `compute.regionFirewallPolicies.createTagBinding` `compute.regionFirewallPolicies.get` `compute.regionFirewallPolicies.update` `compute.regionFirewallPolicies.use` `compute.regionNetworkEndpointGroups.` `compute.regionNetworkEndpointGroups.attachNetworkEndpoints` `compute.regionNetworkEndpointGroups.create` `compute.regionNetworkEndpointGroups.createTagBinding` `compute.regionNetworkEndpointGroups.delete` `compute.regionNetworkEndpointGroups.deleteTagBinding` `compute.regionNetworkEndpointGroups.detachNetworkEndpoints` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionNetworkEndpointGroups.listEffectiveTags` `compute.regionNetworkEndpointGroups.listTagBindings` `compute.regionNetworkEndpointGroups.use` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.reservationBlocks.get` `compute.reservationBlocks.list` `compute.reservationSubBlocks.` `compute.reservationSubBlocks.get` `compute.reservationSubBlocks.list` `compute.reservationSubBlocks.performMaintenance` `compute.reservationSubBlocks.reportFaulty` `compute.reservations.get` `compute.reservations.list` `compute.reservations.listEffectiveTags` `compute.reservations.listTagBindings` `compute.resourcePolicies.list` `compute.resourcePolicies.useReadOnly` `compute.storagePools.get` `compute.storagePools.list` `compute.storagePools.listEffectiveTags` `compute.storagePools.listTagBindings` `compute.storagePools.use` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.listEffectiveTags` `compute.subnetworks.listTagBindings` `compute.subnetworks.setPrivateIpGoogleAccess` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetPools.get` `compute.targetPools.list` `compute.targetPools.listEffectiveTags` `compute.targetPools.listTagBindings` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `container.clusterRoleBindings.` `container.clusterRoleBindings.create` `container.clusterRoleBindings.delete` `container.clusterRoleBindings.get` `container.clusterRoleBindings.list` `container.clusterRoleBindings.update` `container.clusterRoles.` `container.clusterRoles.bind` `container.clusterRoles.create` `container.clusterRoles.delete` `container.clusterRoles.escalate` `container.clusterRoles.get` `container.clusterRoles.list` `container.clusterRoles.update` `container.clusters.connect` `container.clusters.get` `container.clusters.update` `container.customResourceDefinitions.create` `container.customResourceDefinitions.delete` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.customResourceDefinitions.update` `container.namespaces.create` `container.namespaces.delete` `container.namespaces.get` `container.namespaces.list` `container.namespaces.update` `container.operations.get` `container.roleBindings.` `container.roleBindings.create` `container.roleBindings.delete` `container.roleBindings.get` `container.roleBindings.list` `container.roleBindings.update` `container.roles.bind` `container.roles.escalate` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.sessionTemplates.get` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `dataprocrm.nodes.update` `dataprocrm.operations.cancel` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `firebase.projects.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `metastore.services.get` `monitoring.timeSeries.create` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `resourcemanager.tagKeys.create` `resourcemanager.tagKeys.get` `resourcemanager.tagKeys.getIamPolicy` `resourcemanager.tagKeys.setIamPolicy` `resourcemanager.tagValueBindings.` `resourcemanager.tagValueBindings.create` `resourcemanager.tagValueBindings.delete` `resourcemanager.tagValues.create` `resourcemanager.tagValues.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.services.use` `serviceusage.values.test` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.buckets.viewIntelligenceDetails` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `storagebatchoperations.*` `storagebatchoperations.bucketOperations.get` `storagebatchoperations.bucketOperations.list` `storagebatchoperations.jobs.cancel` `storagebatchoperations.jobs.create` `storagebatchoperations.jobs.delete` `storagebatchoperations.jobs.get` `storagebatchoperations.jobs.list` `storagebatchoperations.locations.get` `storagebatchoperations.locations.list` `storagebatchoperations.operations.cancel` `storagebatchoperations.operations.delete` `storagebatchoperations.operations.get` `storagebatchoperations.operations.list`
Dataproc Viewer (`roles/dataproc.viewer`) Provides read-only access to Dataproc resources. Lowest-level resources where you can grant this role: Cluster	`compute.machineTypes.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.batches.analyze` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.nodeGroups.get` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Worker (`roles/dataproc.worker`) Provides worker access to Dataproc resources. Intended for service accounts.	`cloudprofiler.profiles.create` `cloudprofiler.profiles.update` `datalineage.locations.processOpenLineageMessage` `dataproc.agents.` `dataproc.agents.create` `dataproc.agents.delete` `dataproc.agents.get` `dataproc.agents.list` `dataproc.agents.update` `dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationWrite` `dataproc.tasks.` `dataproc.tasks.lease` `dataproc.tasks.listInvalidatedLeases` `dataproc.tasks.reportStatus` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `logging.logEntries.create` `logging.logEntries.route` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `telemetry.metrics.write`

Dataproc Administrator

(roles/dataproc.admin)

Full control of Dataproc resources.

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.*

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.repair
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.*

dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.*

dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Editor

(roles/dataproc.editor)

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

Lowest-level resources where you can grant this role:

Cluster

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.repair

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Hub Agent

(roles/dataproc.hubAgent)

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get

compute.instances.setMetadata

compute.instances.setTags

compute.zoneOperations.get

compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.repair

dataproc.clusters.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.logMetrics.get

logging.logMetrics.list

logging.logScopes.get

logging.logScopes.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataproc Serverless Editor

(roles/dataproc.serverlessEditor)

Permissions needed to run serverless sessions and batches as a user

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Serverless Node.

(roles/dataproc.serverlessNode)

Node access to Dataproc Serverless sessions and batches. Intended for service accounts.

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationRead

dataproc.sessions.sparkApplicationWrite

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.list

Dataproc Serverless Viewer

(roles/dataproc.serverlessViewer)

Permissions needed to view serverless sessions and batches

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.get

dataproc.batches.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Service Agent

(roles/dataproc.serviceAgent)

Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.

backupdr.backupPlanAssociations.createForComputeDisk

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeDisk

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeDisk

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlanAssociations.updateForComputeDisk

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.locations.list

backupdr.operations.get

backupdr.operations.list

backupdr.serviceConfig.initialize

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.diskSettings.get

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.updateKmsKey

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.get

compute.firewalls.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.createTagBinding
compute.instanceGroups.delete
compute.instanceGroups.deleteTagBinding
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.listEffectiveTags
compute.instanceGroups.listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addNetworkInterface
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteNetworkInterface
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.pscInterfaceCreate
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.licenses.listEffectiveTags

compute.licenses.listTagBindings

compute.machineImages.*

compute.machineImages.create
compute.machineImages.createTagBinding
compute.machineImages.delete
compute.machineImages.deleteTagBinding
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.listEffectiveTags
compute.machineImages.listTagBindings
compute.machineImages.setIamPolicy
compute.machineImages.setLabels
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.multiMig.*

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.setFirewallPolicy

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeTypes.get

compute.projects.get

compute.regionFirewallPolicies.create

compute.regionFirewallPolicies.createTagBinding

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.update

compute.regionFirewallPolicies.use

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservationBlocks.get

compute.reservationBlocks.list

compute.reservationSubBlocks.*

compute.reservationSubBlocks.get
compute.reservationSubBlocks.list
compute.reservationSubBlocks.performMaintenance
compute.reservationSubBlocks.reportFaulty

compute.reservations.get

compute.reservations.list

compute.reservations.listEffectiveTags

compute.reservations.listTagBindings

compute.resourcePolicies.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.listEffectiveTags

compute.storagePools.listTagBindings

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.setPrivateIpGoogleAccess

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

container.clusterRoleBindings.*

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update

container.clusterRoles.*

container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update

container.clusters.connect

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.namespaces.update

container.operations.get

container.roleBindings.*

container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update

container.roles.bind

container.roles.escalate

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.repair
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.sessionTemplates.get

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.*

dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update

dataprocrm.operations.cancel

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

metastore.services.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagKeys.create

resourcemanager.tagKeys.get

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.setIamPolicy

resourcemanager.tagValueBindings.*

resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

resourcemanager.tagValues.create

resourcemanager.tagValues.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

serviceusage.values.test

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.buckets.viewIntelligenceDetails

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext

storagebatchoperations.*

storagebatchoperations.bucketOperations.get
storagebatchoperations.bucketOperations.list
storagebatchoperations.jobs.cancel
storagebatchoperations.jobs.create
storagebatchoperations.jobs.delete
storagebatchoperations.jobs.get
storagebatchoperations.jobs.list
storagebatchoperations.locations.get
storagebatchoperations.locations.list
storagebatchoperations.operations.cancel
storagebatchoperations.operations.delete
storagebatchoperations.operations.get
storagebatchoperations.operations.list

Dataproc Viewer

(roles/dataproc.viewer)

Provides read-only access to Dataproc resources.

Lowest-level resources where you can grant this role:

Cluster

compute.machineTypes.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.batches.analyze

dataproc.batches.get

dataproc.batches.list

dataproc.batches.sparkApplicationRead

dataproc.clusters.get

dataproc.clusters.list

dataproc.jobs.get

dataproc.jobs.list

dataproc.nodeGroups.get

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

dataproc.sessions.sparkApplicationRead

dataproc.workflowTemplates.get

dataproc.workflowTemplates.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Worker

(roles/dataproc.worker)

Provides worker access to Dataproc resources. Intended for service accounts.

cloudprofiler.profiles.create

cloudprofiler.profiles.update

datalineage.locations.processOpenLineageMessage

dataproc.agents.*

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationWrite

dataproc.tasks.*

dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.mintOAuthToken

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.deleteContext

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.overrideUnlockedRetention

storage.objects.restore

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

storage.objects.updateContext

telemetry.metrics.write

프로젝트 역할

IAM 프로젝트 역할을 사용하여 프로젝트 수준에서 권한을 설정할 수도 있습니다. 다음 표에는 IAM 프로젝트 역할과 연결된 권한이 요약되어 있습니다.

프로젝트 역할	권한
프로젝트 뷰어	상태를 보존하는 읽기 전용 작업에 대한 모든 프로젝트 권한(가져오기, 표시)
프로젝트 편집자	모든 프로젝트 뷰어 권한에 더해 상태를 수정하는 작업에 대한 모든 프로젝트 권한(만들기, 삭제, 업데이트, 사용, 취소, 중지, 시작)
프로젝트 소유자	모든 프로젝트 편집자 권한에 더해 프로젝트에 대한 액세스 제어를 관리하고 (IamPolicy 가져오기/설정) 프로젝트 결제를 설정하는 권한

다음 단계

프로젝트, 폴더, 조직에 대한 액세스 관리 방법 알아보기

Apache Spark용 서버리스 권한 및 IAM 역할 컬렉션을 사용해 정리하기 내 환경설정을 기준으로 콘텐츠를 저장하고 분류하세요.

Apache Spark용 서버리스의 Dataproc 권한

배치 권한

세션 권한

세션 템플릿 권한

작업 권한

Apache Spark용 서버리스 3.0+ 런타임 권한

워크로드 권한

NodePools 권한

노드 권한

작업 권한

Apache Spark용 서버리스 역할 요구사항

역할을 부여해야 하나요?

사용자에게 부여된 역할 확인

서비스 계정에 부여된 역할 확인

서비스 계정에 부여된 역할 확인

Dataproc 역할 및 권한 조회

Dataproc Administrator

Dataproc Editor

Dataproc Hub Agent

Dataproc Serverless Editor

Dataproc Serverless Node.

Dataproc Serverless Viewer

Dataproc Service Agent

Dataproc Viewer

Dataproc Worker

프로젝트 역할

다음 단계

Apache Spark용 서버리스 권한 및 IAM 역할