Permissões e papéis do IAM para o Serverless para Apache Spark

O Identity and Access Management (IAM) permite controlar o acesso aos recursos do seu projeto. Este documento se concentra nas permissões do IAM relevantes ao Serverless para Apache Spark e nos papéis do IAM que concedem essas permissões.

Permissões do Dataproc para o Serverless para Apache Spark

As permissões do Dataproc permitem que usuários e contas de serviço, executem ações em recursos do Serverless para Apache Spark. Por exemplo, a dataproc.batches.create permissão permite criar cargas de trabalho em lote em um projeto.

Você não concede permissões diretamente aos usuários. Em vez disso, você concede papéis do IAM, que já têm uma ou mais permissões incluídas . É possível conceder papéis predefinidos que contêm uma lista de permissões ou criar e conceder papéis personalizados que contêm uma ou mais permissões incluídas no papel personalizado.

As tabelas a seguir listam as permissões básicas necessárias para chamar as APIs (métodos) do Dataproc que criam ou acessam recursos do Serverless para Apache Spark. As tabelas são organizadas de acordo com as APIs associadas a cada recurso do Serverless para Apache Spark, que incluem batches, sessions, sessionTemplates e operations.

Exemplos:

dataproc.batches.create permite a criação de lotes no projeto.
dataproc.sessions.create permite a criação de sessões interativas em o projeto.

Permissões de lote

Método	Permissão exigida
projects.locations.batches.create	dataproc.batches.create ¹
projects.locations.batches.delete	dataproc.batches.delete
projects.locations.batches.get	dataproc.batches.get
projects.locations.batches.list	dataproc.batches.list

¹ dataproc.batches.create também exige dataproc.batches.get e dataproc.operations.get permissões para receber atualizações de status da ferramenta de linha de comando gcloud.

Permissões de sessão

Método	Permissão exigida
projects.locations.sessions.create	dataproc.sessions.create ¹
projects.locations.sessions.delete	dataproc.sessions.delete
projects.locations.sessions.get	dataproc.sessions.get
projects.locations.sessions.list	dataproc.sessions.list
projects.locations.sessions.terminate	dataproc.sessions.terminate

¹ dataproc.sessions.create também exige dataproc.sessions.get e dataproc.operations.get permissões para receber atualizações de status da ferramenta de linha de comando gcloud.

Permissões de modelo de sessão

Método	Permissão exigida
projects.locations.sessionTemplates.create	dataproc.sessionTemplates.create ¹
projects.locations.sessionTemplates.delete	dataproc.sessionTemplates.delete
projects.locations.sessionTemplates.get	dataproc.sessionTemplates.get
projects.locations.sessionTemplates.list	dataproc.sessionTemplates.list
projects.locations.sessionTemplates.update	dataproc.sessionTemplates.update

¹ dataproc.sessionTemplates.create também exige dataproc.sessionTemplates.get e dataproc.operations.get permissões para receber atualizações de status da ferramenta de linha de comando gcloud.

Permissões de operações

Método	Permissão exigida
projects.regions.operations.get	dataproc.operations.get
projects.regions.operations.list	dataproc.operations.list
projects.regions.operations.cancel ¹	dataproc.operations.cancel
projects.regions.operations.delete	dataproc.operations.delete
projects.regions.operations.getIamPolicy	dataproc.operations.getIamPolicy
projects.regions.operations.setIamPolicy	dataproc.operations.setIamPolicy

¹ Para cancelar operações em lote, dataproc.operations.cancel também exige dataproc.batches.cancel permissão.

Permissões do ambiente de execução do Serverless para Apache Spark 3.0 e versões mais recentes

As permissões a seguir se aplicam ao Serverless para Apache Spark 3.0 e ambientes de execução mais recentes.

Permissões de cargas de trabalho

Método	Permissão exigida
dataprocrm.v1.dataprocrm.projects.locations.workloads.create	dataprocrm.workloads.create
dataprocrm.v1.dataprocrm.projects.locations.workloads.cancel	dataprocrm.workloads.cancel
dataprocrm.v1.dataprocrm.projects.locations.workloads.delete	dataprocrm.workloads.delete
dataprocrm.v1.dataprocrm.projects.locations.workloads.get	dataprocrm.workloads.get
dataprocrm.v1.dataprocrm.projects.locations.workloads.list	dataprocrm.workloads.list
dataprocrm.v1.dataprocrm.projects.locations.workloads.use	dataprocrm.workloads.use

Permissões de NodePools

Método	Permissão exigida
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.create	dataprocrm.nodePools.create
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.delete	dataprocrm.nodePools.delete
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.resize	dataprocrm.nodePools.resize
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.deleteNodes	dataprocrm.nodePools.deleteNodes
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.update	dataprocrm.nodePools.update
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.get	dataprocrm.nodePools.get
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.list	dataprocrm.nodePools.list

Permissões de nós

Método	Permissão exigida
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.create	dataprocrm.nodes.create
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.delete	dataprocrm.nodes.delete
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.update	dataprocrm.nodes.update
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.heartbeat	dataprocrm.nodes.heartbeat
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.get	dataprocrm.nodes.get
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.list	dataprocrm.nodes.list
dataprocrm.v1.dataprocrm.projects.locations.workloads.nodePools.nodes.mintOAuthToken	dataprocrm.nodes.mintOAuthToken

Permissões de operações

Método	Permissão exigida
dataprocrm.v1.dataprocrm.projects.locations.operations.get	dataprocrm.operations.get
dataprocrm.v1.dataprocrm.projects.locations.operations.list	dataprocrm.operations.list

Requisitos de papéis do Serverless para Apache Spark

A tabela a seguir lista os papéis que contêm as permissões necessárias para gerenciar cargas de trabalho e sessões em lote. Os requisitos podem variar dependendo da versão do ambiente de execução do lote ou da sessão e se o lote ou a sessão está sendo executado com credenciais de conta de serviço ou de usuário final (EUC).

Versão do ambiente de execução Papéis IAM

Versão do ambiente de execução	Papéis IAM
pre-`3.0`	Conceda aos usuários os seguintes papéis: Papel de Editor do Dataproc para executar lotes ou sessões ou o papel de Visualizador do Dataproc para receber e listar lotes e sessões. Papel de Usuário da conta de serviço na conta de serviço padrão do Compute Engine ou em uma conta de serviço personalizada. Conceda à conta de serviço padrão do Compute Engine ou a uma conta de serviço personalizada o papel de Worker do Dataproc.
`3.0` e versões mais recentes	Conceda aos usuários os seguintes papéis: Papel de Editor do Dataproc sem servidor para enviar lotes e sessões ou o papel de Visualizador do Dataproc sem servidor para receber e listar lotes e sessões. Se você selecionar Credenciais da conta de serviço em vez de aceitar as Credenciais do usuário final (EUC) padrão do ambiente de execução `3.0`+, conceda aos usuários o papel de Usuário da conta de serviço em uma conta de serviço personalizada especificada pelo usuário e conceda à conta de serviço personalizada especificada pelo usuário o papel de Nó do Dataproc sem servidor. .

pre-3.0

Conceda aos usuários os seguintes papéis:

Papel de Editor do Dataproc para executar lotes ou sessões ou o papel de Visualizador do Dataproc para receber e listar lotes e sessões.
Papel de Usuário da conta de serviço na conta de serviço padrão do Compute Engine ou em uma conta de serviço personalizada.

Conceda à conta de serviço padrão do Compute Engine ou a uma conta de serviço personalizada o papel de Worker do Dataproc.

3.0 e versões mais recentes

Conceda aos usuários os seguintes papéis:

Papel de Editor do Dataproc sem servidor para enviar lotes e sessões ou o papel de Visualizador do Dataproc sem servidor para receber e listar lotes e sessões.
Se você selecionar Credenciais da conta de serviço em vez de aceitar as Credenciais do usuário final (EUC) padrão do ambiente de execução 3.0+, conceda aos usuários o papel de Usuário da conta de serviço em uma conta de serviço personalizada especificada pelo usuário e conceda à conta de serviço personalizada especificada pelo usuário o papel de Nó do Dataproc sem servidor.

Observações:

Ao enviar uma carga de trabalho em lote ou criar uma sessão interativa com um ambiente de execução 3.0+ e credenciais de usuário final (o padrão 3.0+), as operações do sistema de plano de dados são executadas pelo agente de serviço do nó do Resource Manager do Dataproc. Para mais informações, consulte Conta de serviço do agente de serviço do ambiente de execução 3.0+.
Para compatibilidade com versões anteriores, os papéis legados de Editor do Dataproc e Visualizador do Dataproc podem ser concedidos com ambientes de execução 3.0+ em vez dos papéis de Editor do Dataproc sem servidor e Visualizador do Dataproc sem servidor. Além disso, o papel de Worker do Dataproc pode ser concedido em vez do papel de Nó do Dataproc sem servidor.
Se uma conta de serviço tiver recebido o papel de Editor do projeto, ela conterá as permissões incluídas no papel de Worker do Dataproc.
Para mais informações, consulte Contas de serviço do Serverless para Apache Spark.

Você precisa conceder papéis?

Dependendo da política da sua organização, um papel necessário já pode ter sido concedido.

Verificar os papéis concedidos aos usuários

Para saber se um usuário recebeu um papel, siga as instruções em Gerenciar o acesso a projetos, pastas e organizações > Visualizar o acesso atual.

Verificar os papéis concedidos às contas de serviço

Para saber se uma conta de serviço recebeu um papel, consulte Visualizar e gerenciar papéis de conta de serviço do IAM.

Verificar os papéis concedidos em uma conta de serviço

Para saber se um usuário recebeu um papel em uma conta de serviço, siga as instruções em Gerenciar o acesso a contas de serviço > Visualizar o acesso atual.

Consultar papéis e permissões do Dataproc

Use as seções a seguir para consultar papéis e permissões do Dataproc.

Role Permissions

Role	Permissions
Dataproc Administrator (`roles/dataproc.admin`) Full control of Dataproc resources.	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.setIamPolicy` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.getIamPolicy` `dataproc.operations.list` `dataproc.operations.setIamPolicy` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.getIamPolicy` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.setIamPolicy` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Editor (`roles/dataproc.editor`) Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role: Cluster	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Hub Agent (`roles/dataproc.hubAgent`) Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.	`compute.instances.get` `compute.instances.setMetadata` `compute.instances.setTags` `compute.zoneOperations.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.use` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.create` `logging.logEntries.list` `logging.logEntries.route` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logScopes.get` `logging.logScopes.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.objects.get` `storage.objects.list`
Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) Permissions needed to run serverless sessions and batches as a user	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Serverless Node. (`roles/dataproc.serverlessNode`) Node access to Dataproc Serverless sessions and batches. Intended for service accounts.	`dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataprocrm.nodePools.*` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.list`
Dataproc Serverless Viewer (`roles/dataproc.serverlessViewer`) Permissions needed to view serverless sessions and batches	`compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.get` `dataproc.batches.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Service Agent (`roles/dataproc.serviceAgent`) Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts. Warning: Do not grant service agent roles to any principals except service agents.	`backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.locations.list` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `compute.acceleratorTypes.` `compute.acceleratorTypes.get` `compute.acceleratorTypes.list` `compute.addresses.createInternal` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.list` `compute.addresses.listEffectiveTags` `compute.addresses.listTagBindings` `compute.addresses.use` `compute.addresses.useInternal` `compute.autoscalers.` `compute.autoscalers.create` `compute.autoscalers.delete` `compute.autoscalers.get` `compute.autoscalers.list` `compute.autoscalers.update` `compute.diskSettings.get` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.startAsyncReplication` `compute.disks.stopAsyncReplication` `compute.disks.stopGroupAsyncReplication` `compute.disks.update` `compute.disks.updateKmsKey` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.get` `compute.firewalls.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.listEffectiveTags` `compute.globalAddresses.listTagBindings` `compute.globalAddresses.use` `compute.globalNetworkEndpointGroups.` `compute.globalNetworkEndpointGroups.attachNetworkEndpoints` `compute.globalNetworkEndpointGroups.create` `compute.globalNetworkEndpointGroups.createTagBinding` `compute.globalNetworkEndpointGroups.delete` `compute.globalNetworkEndpointGroups.deleteTagBinding` `compute.globalNetworkEndpointGroups.detachNetworkEndpoints` `compute.globalNetworkEndpointGroups.get` `compute.globalNetworkEndpointGroups.list` `compute.globalNetworkEndpointGroups.listEffectiveTags` `compute.globalNetworkEndpointGroups.listTagBindings` `compute.globalNetworkEndpointGroups.use` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `compute.instanceGroupManagers.` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.createTagBinding` `compute.instanceGroupManagers.delete` `compute.instanceGroupManagers.deleteTagBinding` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroupManagers.listEffectiveTags` `compute.instanceGroupManagers.listTagBindings` `compute.instanceGroupManagers.update` `compute.instanceGroupManagers.use` `compute.instanceGroups.` `compute.instanceGroups.create` `compute.instanceGroups.createTagBinding` `compute.instanceGroups.delete` `compute.instanceGroups.deleteTagBinding` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceGroups.listEffectiveTags` `compute.instanceGroups.listTagBindings` `compute.instanceGroups.update` `compute.instanceGroups.use` `compute.instanceSettings.get` `compute.instanceTemplates.` `compute.instanceTemplates.create` `compute.instanceTemplates.delete` `compute.instanceTemplates.get` `compute.instanceTemplates.getIamPolicy` `compute.instanceTemplates.list` `compute.instanceTemplates.setIamPolicy` `compute.instanceTemplates.useReadOnly` `compute.instances.` `compute.instances.addAccessConfig` `compute.instances.addNetworkInterface` `compute.instances.addResourcePolicies` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.deleteAccessConfig` `compute.instances.deleteNetworkInterface` `compute.instances.deleteTagBinding` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.getEffectiveFirewalls` `compute.instances.getGuestAttributes` `compute.instances.getIamPolicy` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.getShieldedInstanceIdentity` `compute.instances.getShieldedVmIdentity` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.listReferrers` `compute.instances.listTagBindings` `compute.instances.osAdminLogin` `compute.instances.osLogin` `compute.instances.pscInterfaceCreate` `compute.instances.removeResourcePolicies` `compute.instances.reset` `compute.instances.resume` `compute.instances.sendDiagnosticInterrupt` `compute.instances.setDeletionProtection` `compute.instances.setDiskAutoDelete` `compute.instances.setIamPolicy` `compute.instances.setLabels` `compute.instances.setMachineResources` `compute.instances.setMachineType` `compute.instances.setMetadata` `compute.instances.setMinCpuPlatform` `compute.instances.setName` `compute.instances.setScheduling` `compute.instances.setSecurityPolicy` `compute.instances.setServiceAccount` `compute.instances.setShieldedInstanceIntegrityPolicy` `compute.instances.setShieldedVmIntegrityPolicy` `compute.instances.setTags` `compute.instances.simulateMaintenanceEvent` `compute.instances.start` `compute.instances.startWithEncryptionKey` `compute.instances.stop` `compute.instances.suspend` `compute.instances.update` `compute.instances.updateAccessConfig` `compute.instances.updateDisplayDevice` `compute.instances.updateNetworkInterface` `compute.instances.updateSecurity` `compute.instances.updateShieldedInstanceConfig` `compute.instances.updateShieldedVmConfig` `compute.instances.use` `compute.instances.useReadOnly` `compute.licenses.get` `compute.licenses.list` `compute.licenses.listEffectiveTags` `compute.licenses.listTagBindings` `compute.machineImages.` `compute.machineImages.create` `compute.machineImages.createTagBinding` `compute.machineImages.delete` `compute.machineImages.deleteTagBinding` `compute.machineImages.get` `compute.machineImages.getIamPolicy` `compute.machineImages.list` `compute.machineImages.listEffectiveTags` `compute.machineImages.listTagBindings` `compute.machineImages.setIamPolicy` `compute.machineImages.setLabels` `compute.machineImages.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.multiMig.` `compute.multiMig.create` `compute.multiMig.delete` `compute.multiMig.get` `compute.multiMig.list` `compute.networkEndpointGroups.` `compute.networkEndpointGroups.attachNetworkEndpoints` `compute.networkEndpointGroups.create` `compute.networkEndpointGroups.createTagBinding` `compute.networkEndpointGroups.delete` `compute.networkEndpointGroups.deleteTagBinding` `compute.networkEndpointGroups.detachNetworkEndpoints` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networkEndpointGroups.listEffectiveTags` `compute.networkEndpointGroups.listTagBindings` `compute.networkEndpointGroups.use` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listEffectiveTags` `compute.networks.listTagBindings` `compute.networks.setFirewallPolicy` `compute.networks.use` `compute.networks.useExternalIp` `compute.nodeGroups.get` `compute.nodeTypes.get` `compute.projects.get` `compute.regionFirewallPolicies.create` `compute.regionFirewallPolicies.createTagBinding` `compute.regionFirewallPolicies.get` `compute.regionFirewallPolicies.update` `compute.regionFirewallPolicies.use` `compute.regionNetworkEndpointGroups.` `compute.regionNetworkEndpointGroups.attachNetworkEndpoints` `compute.regionNetworkEndpointGroups.create` `compute.regionNetworkEndpointGroups.createTagBinding` `compute.regionNetworkEndpointGroups.delete` `compute.regionNetworkEndpointGroups.deleteTagBinding` `compute.regionNetworkEndpointGroups.detachNetworkEndpoints` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionNetworkEndpointGroups.listEffectiveTags` `compute.regionNetworkEndpointGroups.listTagBindings` `compute.regionNetworkEndpointGroups.use` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.reservationBlocks.get` `compute.reservationBlocks.list` `compute.reservationSubBlocks.` `compute.reservationSubBlocks.get` `compute.reservationSubBlocks.list` `compute.reservationSubBlocks.performMaintenance` `compute.reservationSubBlocks.reportFaulty` `compute.reservations.get` `compute.reservations.list` `compute.reservations.listEffectiveTags` `compute.reservations.listTagBindings` `compute.resourcePolicies.list` `compute.resourcePolicies.useReadOnly` `compute.storagePools.get` `compute.storagePools.list` `compute.storagePools.listEffectiveTags` `compute.storagePools.listTagBindings` `compute.storagePools.use` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.listEffectiveTags` `compute.subnetworks.listTagBindings` `compute.subnetworks.setPrivateIpGoogleAccess` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetPools.get` `compute.targetPools.list` `compute.targetPools.listEffectiveTags` `compute.targetPools.listTagBindings` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `container.clusterRoleBindings.` `container.clusterRoleBindings.create` `container.clusterRoleBindings.delete` `container.clusterRoleBindings.get` `container.clusterRoleBindings.list` `container.clusterRoleBindings.update` `container.clusterRoles.` `container.clusterRoles.bind` `container.clusterRoles.create` `container.clusterRoles.delete` `container.clusterRoles.escalate` `container.clusterRoles.get` `container.clusterRoles.list` `container.clusterRoles.update` `container.clusters.connect` `container.clusters.get` `container.clusters.update` `container.customResourceDefinitions.create` `container.customResourceDefinitions.delete` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.customResourceDefinitions.update` `container.namespaces.create` `container.namespaces.delete` `container.namespaces.get` `container.namespaces.list` `container.namespaces.update` `container.operations.get` `container.roleBindings.` `container.roleBindings.create` `container.roleBindings.delete` `container.roleBindings.get` `container.roleBindings.list` `container.roleBindings.update` `container.roles.bind` `container.roles.escalate` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.sessionTemplates.get` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `dataprocrm.nodes.update` `dataprocrm.operations.cancel` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `firebase.projects.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `metastore.services.get` `monitoring.timeSeries.create` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `resourcemanager.tagKeys.create` `resourcemanager.tagKeys.get` `resourcemanager.tagKeys.getIamPolicy` `resourcemanager.tagKeys.setIamPolicy` `resourcemanager.tagValueBindings.` `resourcemanager.tagValueBindings.create` `resourcemanager.tagValueBindings.delete` `resourcemanager.tagValues.create` `resourcemanager.tagValues.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.services.use` `serviceusage.values.test` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.buckets.viewIntelligenceDetails` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `storagebatchoperations.*` `storagebatchoperations.jobs.cancel` `storagebatchoperations.jobs.create` `storagebatchoperations.jobs.delete` `storagebatchoperations.jobs.get` `storagebatchoperations.jobs.list` `storagebatchoperations.locations.get` `storagebatchoperations.locations.list` `storagebatchoperations.operations.cancel` `storagebatchoperations.operations.delete` `storagebatchoperations.operations.get` `storagebatchoperations.operations.list`
Dataproc Viewer (`roles/dataproc.viewer`) Provides read-only access to Dataproc resources. Lowest-level resources where you can grant this role: Cluster	`compute.machineTypes.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.batches.analyze` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.nodeGroups.get` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Worker (`roles/dataproc.worker`) Provides worker access to Dataproc resources. Intended for service accounts.	`cloudprofiler.profiles.create` `cloudprofiler.profiles.update` `datalineage.locations.processOpenLineageMessage` `dataproc.agents.` `dataproc.agents.create` `dataproc.agents.delete` `dataproc.agents.get` `dataproc.agents.list` `dataproc.agents.update` `dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationWrite` `dataproc.tasks.` `dataproc.tasks.lease` `dataproc.tasks.listInvalidatedLeases` `dataproc.tasks.reportStatus` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `logging.logEntries.create` `logging.logEntries.route` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `telemetry.metrics.write`

Dataproc Administrator

(roles/dataproc.admin)

Full control of Dataproc resources.

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.*

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.repair
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.*

dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.*

dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Editor

(roles/dataproc.editor)

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

Lowest-level resources where you can grant this role:

Cluster

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.repair

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Hub Agent

(roles/dataproc.hubAgent)

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get

compute.instances.setMetadata

compute.instances.setTags

compute.zoneOperations.get

compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.repair

dataproc.clusters.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.logMetrics.get

logging.logMetrics.list

logging.logScopes.get

logging.logScopes.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataproc Serverless Editor

(roles/dataproc.serverlessEditor)

Permissions needed to run serverless sessions and batches as a user

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Serverless Node.

(roles/dataproc.serverlessNode)

Node access to Dataproc Serverless sessions and batches. Intended for service accounts.

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationRead

dataproc.sessions.sparkApplicationWrite

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.list

Dataproc Serverless Viewer

(roles/dataproc.serverlessViewer)

Permissions needed to view serverless sessions and batches

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.get

dataproc.batches.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Service Agent

(roles/dataproc.serviceAgent)

Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.

backupdr.backupPlanAssociations.createForComputeDisk

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeDisk

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeDisk

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlanAssociations.updateForComputeDisk

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.locations.list

backupdr.operations.get

backupdr.operations.list

backupdr.serviceConfig.initialize

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.diskSettings.get

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.updateKmsKey

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.get

compute.firewalls.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.createTagBinding
compute.instanceGroups.delete
compute.instanceGroups.deleteTagBinding
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.listEffectiveTags
compute.instanceGroups.listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addNetworkInterface
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteNetworkInterface
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.pscInterfaceCreate
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.licenses.listEffectiveTags

compute.licenses.listTagBindings

compute.machineImages.*

compute.machineImages.create
compute.machineImages.createTagBinding
compute.machineImages.delete
compute.machineImages.deleteTagBinding
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.listEffectiveTags
compute.machineImages.listTagBindings
compute.machineImages.setIamPolicy
compute.machineImages.setLabels
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.multiMig.*

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.setFirewallPolicy

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeTypes.get

compute.projects.get

compute.regionFirewallPolicies.create

compute.regionFirewallPolicies.createTagBinding

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.update

compute.regionFirewallPolicies.use

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservationBlocks.get

compute.reservationBlocks.list

compute.reservationSubBlocks.*

compute.reservationSubBlocks.get
compute.reservationSubBlocks.list
compute.reservationSubBlocks.performMaintenance
compute.reservationSubBlocks.reportFaulty

compute.reservations.get

compute.reservations.list

compute.reservations.listEffectiveTags

compute.reservations.listTagBindings

compute.resourcePolicies.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.listEffectiveTags

compute.storagePools.listTagBindings

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.setPrivateIpGoogleAccess

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

container.clusterRoleBindings.*

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update

container.clusterRoles.*

container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update

container.clusters.connect

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.namespaces.update

container.operations.get

container.roleBindings.*

container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update

container.roles.bind

container.roles.escalate

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.repair
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.sessionTemplates.get

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.*

dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update

dataprocrm.operations.cancel

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

metastore.services.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagKeys.create

resourcemanager.tagKeys.get

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.setIamPolicy

resourcemanager.tagValueBindings.*

resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

resourcemanager.tagValues.create

resourcemanager.tagValues.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

serviceusage.values.test

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.buckets.viewIntelligenceDetails

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext

storagebatchoperations.*

storagebatchoperations.jobs.cancel
storagebatchoperations.jobs.create
storagebatchoperations.jobs.delete
storagebatchoperations.jobs.get
storagebatchoperations.jobs.list
storagebatchoperations.locations.get
storagebatchoperations.locations.list
storagebatchoperations.operations.cancel
storagebatchoperations.operations.delete
storagebatchoperations.operations.get
storagebatchoperations.operations.list

Dataproc Viewer

(roles/dataproc.viewer)

Provides read-only access to Dataproc resources.

Lowest-level resources where you can grant this role:

Cluster

compute.machineTypes.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.batches.analyze

dataproc.batches.get

dataproc.batches.list

dataproc.batches.sparkApplicationRead

dataproc.clusters.get

dataproc.clusters.list

dataproc.jobs.get

dataproc.jobs.list

dataproc.nodeGroups.get

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

dataproc.sessions.sparkApplicationRead

dataproc.workflowTemplates.get

dataproc.workflowTemplates.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Worker

(roles/dataproc.worker)

Provides worker access to Dataproc resources. Intended for service accounts.

cloudprofiler.profiles.create

cloudprofiler.profiles.update

datalineage.locations.processOpenLineageMessage

dataproc.agents.*

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationWrite

dataproc.tasks.*

dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.mintOAuthToken

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.deleteContext

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.overrideUnlockedRetention

storage.objects.restore

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

storage.objects.updateContext

telemetry.metrics.write

Papéis do projeto

Você também pode definir permissões no nível do projeto usando os papéis do IAM Projeto. A tabela a seguir resume as permissões associadas aos papéis do projeto do IAM:

Papel do projeto	Permissões
Visualizador do projeto	Todas as permissões do projeto para ações somente leitura que preservam o estado (get, lista)
Editor do projeto	Todas as permissões do Visualizador do projeto acrescidas de todas as permissões do projeto para ações que modificam o estado (criar, excluir, atualizar, usar, cancelar, interromper, iniciar)
Proprietário do projeto	Todas as permissões do Editor do projeto acrescidas das permissões para gerenciar o controle de acesso do projeto (get/set IamPolicy) e configurar o faturamento do projeto

A seguir

Saiba como gerenciar o acesso a projetos, pastas e organizações.

Permissões e papéis do IAM para o Serverless para Apache Spark Mantenha tudo organizado com as coleções Salve e categorize o conteúdo com base nas suas preferências.

Permissões do Dataproc para o Serverless para Apache Spark

Permissões de lote

Permissões de sessão

Permissões de modelo de sessão

Permissões de operações

Permissões do ambiente de execução do Serverless para Apache Spark 3.0 e versões mais recentes

Permissões de cargas de trabalho

Permissões de NodePools

Permissões de nós

Permissões de operações

Requisitos de papéis do Serverless para Apache Spark

Você precisa conceder papéis?

Verificar os papéis concedidos aos usuários

Verificar os papéis concedidos às contas de serviço

Verificar os papéis concedidos em uma conta de serviço

Consultar papéis e permissões do Dataproc

Dataproc Administrator

Dataproc Editor

Dataproc Hub Agent

Dataproc Serverless Editor

Dataproc Serverless Node.

Dataproc Serverless Viewer

Dataproc Service Agent

Dataproc Viewer

Dataproc Worker

Papéis do projeto

A seguir

Permissões e papéis do IAM para o Serverless para Apache Spark