"Managed Service for Apache Spark" è il nuovo nome del prodotto precedentemente noto come "Dataproc on Compute Engine" (deployment del cluster) e "Google Cloud Serverless for Apache Spark" (deployment serverless).

Ruoli e autorizzazioni IAM (Identity and Access Management) di Managed Service per Apache Spark

Identity and Access Management (IAM) ti consente di controllare l'accesso di utenti e gruppi alle risorse del progetto. Questo documento si concentra sulle autorizzazioni IAM pertinenti a Managed Service for Apache Spark e sui ruoli IAM che concedono queste autorizzazioni.

Autorizzazioni di Managed Service per Apache Spark

Le autorizzazioni di Managed Service per Apache Spark consentono agli utenti, inclusi gli account di servizio, di eseguire azioni su cluster, job, operazioni e modelli di workflow di Managed Service per Apache Spark. Ad esempio, l'autorizzazione dataproc.clusters.create consente a un utente di creare cluster Managed Service for Apache Spark in un progetto. In genere, non concedi autorizzazioni, ma ruoli, che includono una o più autorizzazioni.

Le tabelle seguenti elencano le autorizzazioni necessarie per chiamare le API (metodi) di Managed Service for Apache Spark. Le tabelle sono organizzate in base alle API associate a ogni risorsa Managed Service per Apache Spark (cluster, job, operazioni e modelli di workflow).

Ambito delle autorizzazioni:l'ambito delle autorizzazioni di Managed Service for Apache Spark elencate nelle tabelle seguenti è il progetto Google Cloudcontenitore (ambitocloud-platform). Consulta Autorizzazioni account di servizio.

Esempi:

dataproc.clusters.create consente la creazione di cluster Managed Service per Apache Spark nel progetto contenitore
dataproc.jobs.create consente l'invio di job Managed Service per Apache Spark ai cluster Managed Service per Apache Spark nel progetto contenitore
dataproc.clusters.list consente l'elenco dei dettagli dei cluster Managed Service per Apache Spark nel progetto contenitore

Autorizzazioni richieste per i metodi dei cluster

Metodo	Autorizzazioni obbligatorie
projects.regions.clusters.create ^{1, 2}	dataproc.clusters.create
projects.regions.clusters.get	dataproc.clusters.get
projects.regions.clusters.list	dataproc.clusters.list
projects.regions.clusters.patch ^{1, 2, 3}	dataproc.clusters.update
projects.regions.clusters.delete ¹	dataproc.clusters.delete
projects.regions.clusters.start	dataproc.clusters.start
projects.regions.clusters.stop	dataproc.clusters.stop
projects.regions.clusters.getIamPolicy	dataproc.clusters.getIamPolicy
projects.regions.clusters.setIamPolicy	dataproc.clusters.setIamPolicy

Note:

È necessaria anche l'autorizzazione dataproc.operations.get per ricevere aggiornamenti di stato da Google Cloud CLI.
L'autorizzazione dataproc.clusters.get è necessaria anche per ottenere il risultato dell'operazione da Google Cloud CLI.
È necessaria anche l'autorizzazione dataproc.autoscalingPolicies.use per abilitare un criterio di scalabilità automatica su un cluster.

Autorizzazioni richieste per i metodi dei job

Metodo	Autorizzazioni obbligatorie
projects.regions.jobs.submit ^{1, 2}	dataproc.jobs.create dataproc.clusters.use
projects.regions.jobs.get	dataproc.jobs.get
projects.regions.jobs.list	dataproc.jobs.list
projects.regions.jobs.cancel ¹	dataproc.jobs.cancel
projects.regions.jobs.patch ¹	dataproc.jobs.update
projects.regions.jobs.delete ¹	dataproc.jobs.delete
projects.regions.jobs.getIamPolicy	dataproc.jobs.getIamPolicy
projects.regions.jobs.setIamPolicy	dataproc.jobs.setIamPolicy

Note:

Google Cloud CLI richiede anche l'autorizzazione dataproc.jobs.get per i comandi jobs submit, jobs wait, jobs update, jobs delete e jobs kill.
gcloud CLI richiede anche l'autorizzazione dataproc.clusters.get per inviare job. Per un esempio di impostazione delle autorizzazioni necessarie a un utente per eseguire gcloud dataproc jobs submit su un cluster utilizzando Managed Service for Apache Spark Granular IAM (vedi Invio di job con IAM granulare).

Autorizzazioni richieste per i metodi delle operazioni

Metodo	Autorizzazioni obbligatorie
projects.regions.operations.get	dataproc.operations.get
projects.regions.operations.list	dataproc.operations.list
projects.regions.operations.cancel	dataproc.operations.cancel
projects.regions.operations.delete	dataproc.operations.delete
projects.regions.operations.getIamPolicy	dataproc.operations.getIamPolicy
projects.regions.operations.setIamPolicy	dataproc.operations.setIamPolicy

Autorizzazioni richieste per i metodi dei modelli di workflow

Metodo	Autorizzazioni obbligatorie
projects.regions.workflowTemplates.instantiate	dataproc.workflowTemplates.instantiate
projects.regions.workflowTemplates.instantiateInline	dataproc.workflowTemplates.instantiateInline
projects.regions.workflowTemplates.create	dataproc.workflowTemplates.create
projects.regions.workflowTemplates.get	dataproc.workflowTemplates.get
projects.regions.workflowTemplates.list	dataproc.workflowTemplates.list
projects.regions.workflowTemplates.update	dataproc.workflowTemplates.update
projects.regions.workflowTemplates.delete	dataproc.workflowTemplates.delete
projects.regions.workflowTemplates.getIamPolicy	dataproc.workflowTemplates.getIamPolicy
projects.regions.workflowTemplates.setIamPolicy	dataproc.workflowTemplates.setIamPolicy

Note:

Le autorizzazioni del modello di flusso di lavoro sono indipendenti dalle autorizzazioni del cluster e del job. Un utente senza autorizzazioni create cluster o submit job può creare e instanziare un modello di flusso di lavoro.
Google Cloud CLI richiede inoltre l'autorizzazione dataproc.operations.get per eseguire il polling per il completamento del flusso di lavoro.
È necessaria l'autorizzazione dataproc.operations.cancel per annullare un flusso di lavoro in esecuzione.

Autorizzazioni richieste per i metodi dei criteri di scalabilità automatica

Metodo	Autorizzazioni obbligatorie
projects.regions.autoscalingPolicies.create	dataproc.autoscalingPolicies.create
projects.regions.autoscalingPolicies.get	dataproc.autoscalingPolicies.get
projects.regions.autoscalingPolicies.list	dataproc.autoscalingPolicies.list
projects.regions.autoscalingPolicies.update	dataproc.autoscalingPolicies.update
projects.regions.autoscalingPolicies.delete	dataproc.autoscalingPolicies.delete
projects.regions.autoscalingPolicies.getIamPolicy	dataproc.autoscalingPolicies.getIamPolicy
projects.regions.autoscalingPolicies.setIamPolicy	dataproc.autoscalingPolicies.setIamPolicy

Note:

È necessaria l'autorizzazione dataproc.autoscalingPolicies.use per abilitare un criterio di scalabilità automatica su un cluster con una richiesta del metodo clusters.patch.

Autorizzazioni richieste per i metodi dei gruppi di nodi

Metodo	Autorizzazioni obbligatorie
projects.regions.nodeGroups.create	dataproc.nodeGroups.create
projects.regions.nodeGroups.get	dataproc.nodeGroups.get
projects.regions.nodeGroups.resize	dataproc.nodeGroups.update

Ruoli di Managed Service per Apache Spark

I ruoli IAM di Managed Service per Apache Spark sono un insieme di una o più autorizzazioni. Concedi ruoli a utenti o gruppi per consentire loro di eseguire azioni sulle risorse Managed Service for Apache Spark in un progetto. Ad esempio, il ruolo Visualizzatore di Managed Service per Apache Spark contiene le autorizzazioni get e list, che consentono a un utente di ottenere ed elencare cluster, job e operazioni di Managed Service per Apache Spark in un progetto.

La tabella seguente elenca i ruoli che contengono le autorizzazioni necessarie per creare e gestire cluster Managed Service for Apache Spark.

Concedi ruolo a	Ruoli
Utente	Concedi agli utenti i seguenti ruoli: Ruolo Editor Dataproc per creare e gestire cluster Managed Service per Apache Spark. Ruolo Utente service account nel service account VM di Managed Service for Apache Spark.
Service account	Concedi al service account VM Managed Service per Apache Spark il ruolo Worker Dataproc.

Tieni presente quanto segue:

Potresti dover concedere all'account di servizio VM di Managed Service for Apache Spark ruoli predefiniti o personalizzati aggiuntivi che contengono le autorizzazioni necessarie per altre operazioni, come la lettura e la scrittura di dati da e verso Cloud Storage, BigQuery, Cloud Logging e altre risorse Google Cloud .
In alcuni progetti, al service account VM di Managed Service per Apache Spark potrebbe essere stato concesso automaticamente il ruolo Editor del progetto, che include le autorizzazioni del ruolo Worker di Managed Service per Apache Spark più autorizzazioni aggiuntive non necessarie per le operazioni del data plane di Managed Service per Apache Spark. Per seguire il principio di privilegio minimo, che è una best practice di sicurezza, sostituisci il ruolo Editor con il ruolo Worker di Managed Service for Apache Spark (vedi Visualizzare i ruoli account di servizio VM).

Devi concedere ruoli?

A seconda delle norme dell'organizzazione, un ruolo obbligatorio potrebbe essere già stato concesso.

Controllare i ruoli concessi agli utenti

Per verificare se a un utente è stato concesso un ruolo, segui le istruzioni riportate in Gestire l'accesso a progetti, cartelle e organizzazioni > Visualizzare l'accesso attuale.

Controllare i ruoli concessi ai service account

Per verificare se a un account di servizio è stato concesso un ruolo, consulta Visualizzare e gestire i ruoli delaccount di serviziot IAM.

Controllare i ruoli concessi a un account di servizio

Per verificare se a un utente è stato concesso un ruolo in un account di servizio, segui le istruzioni riportate in Gestire l'accesso ai service account > Visualizzare l'accesso attuale.

Cercare ruoli e autorizzazioni di Managed Service per Apache Spark

Puoi utilizzare la sezione seguente per cercare i ruoli e le autorizzazioni di Managed Service per Apache Spark.

Role Permissions

Role	Permissions
Dataproc Administrator (`roles/dataproc.admin`) Full control of Dataproc resources.	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.setIamPolicy` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.getIamPolicy` `dataproc.operations.list` `dataproc.operations.setIamPolicy` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.getIamPolicy` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.setIamPolicy` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Editor (`roles/dataproc.editor`) Provides the permissions necessary for viewing the resources required to manage Managed Service for Apache Spark, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role: Cluster	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Hub Agent (`roles/dataproc.hubAgent`) Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.	`compute.instances.get` `compute.instances.setMetadata` `compute.instances.setTags` `compute.zoneOperations.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.use` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.create` `logging.logEntries.list` `logging.logEntries.route` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logScopes.get` `logging.logScopes.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.objects.get` `storage.objects.list`
Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) Permissions needed to run serverless sessions and batches as a user	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Serverless Node. (`roles/dataproc.serverlessNode`) Node access to Dataproc Serverless sessions and batches. Intended for service accounts.	`dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataprocrm.nodePools.*` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.list` `dataprocrm.operations.get`
Dataproc Serverless Viewer (`roles/dataproc.serverlessViewer`) Permissions needed to view serverless sessions and batches	`compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.get` `dataproc.batches.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Service Agent (`roles/dataproc.serviceAgent`) Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts. Warning: Do not grant service agent roles to any principals except service agents.	`backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.locations.list` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `compute.acceleratorTypes.` `compute.acceleratorTypes.get` `compute.acceleratorTypes.list` `compute.addresses.createInternal` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.list` `compute.addresses.listEffectiveTags` `compute.addresses.listTagBindings` `compute.addresses.use` `compute.addresses.useInternal` `compute.autoscalers.` `compute.autoscalers.create` `compute.autoscalers.delete` `compute.autoscalers.get` `compute.autoscalers.list` `compute.autoscalers.update` `compute.diskSettings.get` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.startAsyncReplication` `compute.disks.stopAsyncReplication` `compute.disks.stopGroupAsyncReplication` `compute.disks.update` `compute.disks.updateKmsKey` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.get` `compute.firewalls.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.listEffectiveTags` `compute.globalAddresses.listTagBindings` `compute.globalAddresses.use` `compute.globalNetworkEndpointGroups.` `compute.globalNetworkEndpointGroups.attachNetworkEndpoints` `compute.globalNetworkEndpointGroups.create` `compute.globalNetworkEndpointGroups.createTagBinding` `compute.globalNetworkEndpointGroups.delete` `compute.globalNetworkEndpointGroups.deleteTagBinding` `compute.globalNetworkEndpointGroups.detachNetworkEndpoints` `compute.globalNetworkEndpointGroups.get` `compute.globalNetworkEndpointGroups.list` `compute.globalNetworkEndpointGroups.listEffectiveTags` `compute.globalNetworkEndpointGroups.listTagBindings` `compute.globalNetworkEndpointGroups.use` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `compute.instanceGroupManagers.` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.createTagBinding` `compute.instanceGroupManagers.delete` `compute.instanceGroupManagers.deleteTagBinding` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroupManagers.listEffectiveTags` `compute.instanceGroupManagers.listTagBindings` `compute.instanceGroupManagers.update` `compute.instanceGroupManagers.use` `compute.instanceGroups.` `compute.instanceGroups.create` `compute.instanceGroups.createTagBinding` `compute.instanceGroups.delete` `compute.instanceGroups.deleteTagBinding` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceGroups.listEffectiveTags` `compute.instanceGroups.listTagBindings` `compute.instanceGroups.update` `compute.instanceGroups.use` `compute.instanceSettings.get` `compute.instanceTemplates.` `compute.instanceTemplates.create` `compute.instanceTemplates.delete` `compute.instanceTemplates.get` `compute.instanceTemplates.getIamPolicy` `compute.instanceTemplates.list` `compute.instanceTemplates.setIamPolicy` `compute.instanceTemplates.useReadOnly` `compute.instances.` `compute.instances.addAccessConfig` `compute.instances.addNetworkInterface` `compute.instances.addResourcePolicies` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.deleteAccessConfig` `compute.instances.deleteNetworkInterface` `compute.instances.deleteTagBinding` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.getEffectiveFirewalls` `compute.instances.getGuestAttributes` `compute.instances.getIamPolicy` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.getShieldedInstanceIdentity` `compute.instances.getShieldedVmIdentity` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.listReferrers` `compute.instances.listTagBindings` `compute.instances.osAdminLogin` `compute.instances.osLogin` `compute.instances.pscInterfaceCreate` `compute.instances.removeResourcePolicies` `compute.instances.reset` `compute.instances.resume` `compute.instances.sendDiagnosticInterrupt` `compute.instances.setDeletionProtection` `compute.instances.setDiskAutoDelete` `compute.instances.setIamPolicy` `compute.instances.setLabels` `compute.instances.setMachineResources` `compute.instances.setMachineType` `compute.instances.setMetadata` `compute.instances.setMinCpuPlatform` `compute.instances.setName` `compute.instances.setScheduling` `compute.instances.setSecurityPolicy` `compute.instances.setServiceAccount` `compute.instances.setShieldedInstanceIntegrityPolicy` `compute.instances.setShieldedVmIntegrityPolicy` `compute.instances.setTags` `compute.instances.simulateMaintenanceEvent` `compute.instances.start` `compute.instances.startWithEncryptionKey` `compute.instances.stop` `compute.instances.suspend` `compute.instances.update` `compute.instances.updateAccessConfig` `compute.instances.updateDisplayDevice` `compute.instances.updateNetworkInterface` `compute.instances.updateSecurity` `compute.instances.updateShieldedInstanceConfig` `compute.instances.updateShieldedVmConfig` `compute.instances.use` `compute.instances.useReadOnly` `compute.licenses.get` `compute.licenses.list` `compute.licenses.listEffectiveTags` `compute.licenses.listTagBindings` `compute.machineImages.` `compute.machineImages.create` `compute.machineImages.createTagBinding` `compute.machineImages.delete` `compute.machineImages.deleteTagBinding` `compute.machineImages.get` `compute.machineImages.getIamPolicy` `compute.machineImages.list` `compute.machineImages.listEffectiveTags` `compute.machineImages.listTagBindings` `compute.machineImages.setIamPolicy` `compute.machineImages.setLabels` `compute.machineImages.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.multiMig.` `compute.multiMig.create` `compute.multiMig.delete` `compute.multiMig.get` `compute.multiMig.list` `compute.multiMigMembers.` `compute.multiMigMembers.get` `compute.multiMigMembers.list` `compute.networkEndpointGroups.` `compute.networkEndpointGroups.attachNetworkEndpoints` `compute.networkEndpointGroups.create` `compute.networkEndpointGroups.createTagBinding` `compute.networkEndpointGroups.delete` `compute.networkEndpointGroups.deleteTagBinding` `compute.networkEndpointGroups.detachNetworkEndpoints` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networkEndpointGroups.listEffectiveTags` `compute.networkEndpointGroups.listTagBindings` `compute.networkEndpointGroups.use` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listEffectiveTags` `compute.networks.listTagBindings` `compute.networks.setFirewallPolicy` `compute.networks.use` `compute.networks.useExternalIp` `compute.nodeGroups.get` `compute.nodeTypes.get` `compute.projects.get` `compute.regionFirewallPolicies.create` `compute.regionFirewallPolicies.createTagBinding` `compute.regionFirewallPolicies.delete` `compute.regionFirewallPolicies.deleteTagBinding` `compute.regionFirewallPolicies.get` `compute.regionFirewallPolicies.update` `compute.regionFirewallPolicies.use` `compute.regionNetworkEndpointGroups.` `compute.regionNetworkEndpointGroups.attachNetworkEndpoints` `compute.regionNetworkEndpointGroups.create` `compute.regionNetworkEndpointGroups.createTagBinding` `compute.regionNetworkEndpointGroups.delete` `compute.regionNetworkEndpointGroups.deleteTagBinding` `compute.regionNetworkEndpointGroups.detachNetworkEndpoints` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionNetworkEndpointGroups.listEffectiveTags` `compute.regionNetworkEndpointGroups.listTagBindings` `compute.regionNetworkEndpointGroups.use` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.reservationBlocks.get` `compute.reservationBlocks.list` `compute.reservationSubBlocks.` `compute.reservationSubBlocks.get` `compute.reservationSubBlocks.list` `compute.reservationSubBlocks.performMaintenance` `compute.reservationSubBlocks.reportFaulty` `compute.reservations.get` `compute.reservations.list` `compute.reservations.listEffectiveTags` `compute.reservations.listTagBindings` `compute.resourcePolicies.list` `compute.resourcePolicies.useReadOnly` `compute.storagePools.get` `compute.storagePools.list` `compute.storagePools.listEffectiveTags` `compute.storagePools.listTagBindings` `compute.storagePools.use` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.listEffectiveTags` `compute.subnetworks.listTagBindings` `compute.subnetworks.setPrivateIpGoogleAccess` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetPools.get` `compute.targetPools.list` `compute.targetPools.listEffectiveTags` `compute.targetPools.listTagBindings` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `container.clusterRoleBindings.` `container.clusterRoleBindings.create` `container.clusterRoleBindings.delete` `container.clusterRoleBindings.get` `container.clusterRoleBindings.list` `container.clusterRoleBindings.update` `container.clusterRoles.` `container.clusterRoles.bind` `container.clusterRoles.create` `container.clusterRoles.delete` `container.clusterRoles.escalate` `container.clusterRoles.get` `container.clusterRoles.list` `container.clusterRoles.update` `container.clusters.connect` `container.clusters.get` `container.clusters.update` `container.customResourceDefinitions.create` `container.customResourceDefinitions.delete` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.customResourceDefinitions.update` `container.namespaces.create` `container.namespaces.delete` `container.namespaces.get` `container.namespaces.list` `container.namespaces.update` `container.operations.get` `container.roleBindings.` `container.roleBindings.create` `container.roleBindings.delete` `container.roleBindings.get` `container.roleBindings.list` `container.roleBindings.update` `container.roles.bind` `container.roles.escalate` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.repair` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.sessionTemplates.get` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `dataprocrm.nodes.update` `dataprocrm.operations.cancel` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `firebase.projects.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `metastore.services.get` `monitoring.timeSeries.create` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `resourcemanager.tagKeys.create` `resourcemanager.tagKeys.get` `resourcemanager.tagKeys.getIamPolicy` `resourcemanager.tagKeys.setIamPolicy` `resourcemanager.tagValueBindings.` `resourcemanager.tagValueBindings.create` `resourcemanager.tagValueBindings.delete` `resourcemanager.tagValues.create` `resourcemanager.tagValues.get` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.services.use` `serviceusage.values.test` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.buckets.viewIntelligenceDetails` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `storagebatchoperations.` `storagebatchoperations.bucketOperations.get` `storagebatchoperations.bucketOperations.list` `storagebatchoperations.jobs.cancel` `storagebatchoperations.jobs.create` `storagebatchoperations.jobs.delete` `storagebatchoperations.jobs.get` `storagebatchoperations.jobs.list` `storagebatchoperations.locations.get` `storagebatchoperations.locations.list` `storagebatchoperations.operations.cancel` `storagebatchoperations.operations.delete` `storagebatchoperations.operations.get` `storagebatchoperations.operations.list`
Dataproc Viewer (`roles/dataproc.viewer`) Provides read-only access to Managed Service for Apache Spark resources. Lowest-level resources where you can grant this role: Cluster	`compute.machineTypes.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.batches.analyze` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.nodeGroups.get` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Worker (`roles/dataproc.worker`) Provides worker access to Managed Service for Apache Spark resources. Intended for service accounts.	`cloudprofiler.profiles.create` `cloudprofiler.profiles.update` `datalineage.locations.processOpenLineageMessage` `dataproc.agents.` `dataproc.agents.create` `dataproc.agents.delete` `dataproc.agents.get` `dataproc.agents.list` `dataproc.agents.update` `dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationWrite` `dataproc.tasks.` `dataproc.tasks.lease` `dataproc.tasks.listInvalidatedLeases` `dataproc.tasks.reportStatus` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `dataprocrm.operations.get` `logging.logEntries.create` `logging.logEntries.route` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `telemetry.metrics.write`

Dataproc Administrator

(roles/dataproc.admin)

Full control of Dataproc resources.

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.*

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.repair
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.*

dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.*

dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Editor

(roles/dataproc.editor)

Provides the permissions necessary for viewing the resources required to manage Managed Service for Apache Spark, including machine types, networks, projects, and zones.

Lowest-level resources where you can grant this role:

Cluster

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.repair

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Hub Agent

(roles/dataproc.hubAgent)

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get

compute.instances.setMetadata

compute.instances.setTags

compute.zoneOperations.get

compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.repair

dataproc.clusters.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.logMetrics.get

logging.logMetrics.list

logging.logScopes.get

logging.logScopes.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataproc Serverless Editor

(roles/dataproc.serverlessEditor)

Permissions needed to run serverless sessions and batches as a user

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Serverless Node.

(roles/dataproc.serverlessNode)

Node access to Dataproc Serverless sessions and batches. Intended for service accounts.

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationRead

dataproc.sessions.sparkApplicationWrite

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.list

dataprocrm.operations.get

Dataproc Serverless Viewer

(roles/dataproc.serverlessViewer)

Permissions needed to view serverless sessions and batches

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.get

dataproc.batches.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Service Agent

(roles/dataproc.serviceAgent)

Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.

backupdr.backupPlanAssociations.createForComputeDisk

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeDisk

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeDisk

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlanAssociations.updateForComputeDisk

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.locations.list

backupdr.operations.get

backupdr.operations.list

backupdr.serviceConfig.initialize

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.diskSettings.get

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.updateKmsKey

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.get

compute.firewalls.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.createTagBinding
compute.instanceGroups.delete
compute.instanceGroups.deleteTagBinding
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.listEffectiveTags
compute.instanceGroups.listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addNetworkInterface
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteNetworkInterface
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.pscInterfaceCreate
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.licenses.listEffectiveTags

compute.licenses.listTagBindings

compute.machineImages.*

compute.machineImages.create
compute.machineImages.createTagBinding
compute.machineImages.delete
compute.machineImages.deleteTagBinding
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.listEffectiveTags
compute.machineImages.listTagBindings
compute.machineImages.setIamPolicy
compute.machineImages.setLabels
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.multiMig.*

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

compute.multiMigMembers.*

compute.multiMigMembers.get
compute.multiMigMembers.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.setFirewallPolicy

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeTypes.get

compute.projects.get

compute.regionFirewallPolicies.create

compute.regionFirewallPolicies.createTagBinding

compute.regionFirewallPolicies.delete

compute.regionFirewallPolicies.deleteTagBinding

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.update

compute.regionFirewallPolicies.use

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservationBlocks.get

compute.reservationBlocks.list

compute.reservationSubBlocks.*

compute.reservationSubBlocks.get
compute.reservationSubBlocks.list
compute.reservationSubBlocks.performMaintenance
compute.reservationSubBlocks.reportFaulty

compute.reservations.get

compute.reservations.list

compute.reservations.listEffectiveTags

compute.reservations.listTagBindings

compute.resourcePolicies.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.listEffectiveTags

compute.storagePools.listTagBindings

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.setPrivateIpGoogleAccess

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

container.clusterRoleBindings.*

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update

container.clusterRoles.*

container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update

container.clusters.connect

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.namespaces.update

container.operations.get

container.roleBindings.*

container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update

container.roles.bind

container.roles.escalate

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.repair
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.sessionTemplates.get

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.*

dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update

dataprocrm.operations.cancel

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

metastore.services.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagKeys.create

resourcemanager.tagKeys.get

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.setIamPolicy

resourcemanager.tagValueBindings.*

resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete

resourcemanager.tagValues.create

resourcemanager.tagValues.get

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

serviceusage.values.test

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.buckets.viewIntelligenceDetails

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext

storagebatchoperations.*

storagebatchoperations.bucketOperations.get
storagebatchoperations.bucketOperations.list
storagebatchoperations.jobs.cancel
storagebatchoperations.jobs.create
storagebatchoperations.jobs.delete
storagebatchoperations.jobs.get
storagebatchoperations.jobs.list
storagebatchoperations.locations.get
storagebatchoperations.locations.list
storagebatchoperations.operations.cancel
storagebatchoperations.operations.delete
storagebatchoperations.operations.get
storagebatchoperations.operations.list

Dataproc Viewer

(roles/dataproc.viewer)

Provides read-only access to Managed Service for Apache Spark resources.

Lowest-level resources where you can grant this role:

Cluster

compute.machineTypes.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.batches.analyze

dataproc.batches.get

dataproc.batches.list

dataproc.batches.sparkApplicationRead

dataproc.clusters.get

dataproc.clusters.list

dataproc.jobs.get

dataproc.jobs.list

dataproc.nodeGroups.get

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

dataproc.sessions.sparkApplicationRead

dataproc.workflowTemplates.get

dataproc.workflowTemplates.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Worker

(roles/dataproc.worker)

Provides worker access to Managed Service for Apache Spark resources. Intended for service accounts.

cloudprofiler.profiles.create

cloudprofiler.profiles.update

datalineage.locations.processOpenLineageMessage

dataproc.agents.*

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationWrite

dataproc.tasks.*

dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.mintOAuthToken

dataprocrm.operations.get

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.deleteContext

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.overrideUnlockedRetention

storage.objects.restore

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

storage.objects.updateContext

telemetry.metrics.write

Note:

Le autorizzazioni compute sono necessarie o consigliate per creare e visualizzare i cluster Managed Service for Apache Spark quando utilizzi la gcloud CLI Google Cloud o Google Cloud CLI.
Per consentire a un utente di caricare file, concedi il ruolo Storage Object Creator. Per consentire a un utente di visualizzare l'output del job, concedi il ruolo Storage Object Viewer.
Un utente deve disporre dell'autorizzazione monitoring.timeSeries.list per visualizzare i grafici nella scheda Panoramica della console Google Cloud →Managed Service for Apache Spark→Dettagli cluster.
Un utente deve disporre dell'autorizzazione compute.instances.list per visualizzare lo stato dell'istanza e il menu SSH dell'istanza master nella scheda Istanze VM della consoleGoogle Cloud →Managed Service for Apache Spark→Dettagli cluster. Per informazioni sui ruoli di Compute Engine, consulta Compute Engine→Ruoli IAM disponibili).
Per creare un cluster con un account di servizio specificato dall'utente, il account di servizio specificato deve disporre di tutte le autorizzazioni concesse dal ruolo Managed Service for Apache Spark Worker, che includono l'accesso ai bucket temporanei e di staging di Managed Service for Apache Spark. A seconda delle funzionalità configurate, potrebbero essere necessari ruoli aggiuntivi. Per saperne di più, consulta Crea un cluster con un service account VM personalizzato.

Ruoli di progetto

Puoi anche impostare le autorizzazioni a livello di progetto utilizzando i ruoli Progetto IAM. La tabella seguente elenca le autorizzazioni associate ai ruoli di progetto IAM:

Ruolo progetto	Autorizzazioni
Visualizzatore progetto	Tutte le autorizzazioni del progetto per le azioni di sola lettura che conservano lo stato (get, list)
Editor progetto	Tutte le autorizzazioni di Visualizzatore progetto più tutte le autorizzazioni di progetto per le azioni che modificano lo stato (crea, elimina, aggiorna, utilizza, annulla, arresta, avvia)
Proprietario progetto	Tutte le autorizzazioni di Editor progetto più le autorizzazioni per gestire il controllo dell'accesso per il progetto (get/set IamPolicy) e per configurare la fatturazione del progetto

Riepilogo delle operazioni di Managed Service per Apache Spark e dei ruoli IAM

La tabella seguente elenca le operazioni di Managed Service per Apache Spark associate ai ruoli di progetto e di Managed Service per Apache Spark.

Operazione	Editor progetto	Visualizzatore progetto	Amministratore di Managed Service per Apache Spark	Editor di Managed Service per Apache Spark	Visualizzatore di Managed Service per Apache Spark
Recupera/imposta le autorizzazioni IAM di Managed Service per Apache Spark	No	No	Sì	No	No
Crea cluster	Sì	No	Sì	Sì	No
Elenca cluster	Sì	Sì	Sì	Sì	Sì
Recupero dei dettagli del cluster	Sì	Sì	Sì ^{1, 2}	Sì ^{1, 2}	Sì ^{1, 2}
Aggiorna cluster	Sì	No	Sì	Sì	No
Elimina cluster	Sì	No	Sì	Sì	No
Avvia/Interrompi cluster	Sì	No	Sì	Sì	No
Invia il job	Sì	No	Sì ³	Sì ³	No
Elenca job	Sì	Sì	Sì	Sì	Sì
Recupera i dettagli del job	Sì	Sì	Sì ⁴	Sì ⁴	Sì ⁴
Annulla job	Sì	No	Sì	Sì	No
Elimina job	Sì	No	Sì	Sì	No
Elenca operazioni	Sì	Sì	Sì	Sì	Sì
Recuperare i dettagli dell'operazione	Sì	Sì	Sì	Sì	Sì
Elimina operazione	Sì	No	Sì	Sì	No

Note:

Il grafico del rendimento non è disponibile a meno che l'utente non disponga anche di un ruolo con l'autorizzazione monitoring.timeSeries.list.
L'elenco delle VM nel cluster non includerà informazioni sullo stato o un link SSH per l'istanza master, a meno che l'utente non disponga anche di un ruolo con l'autorizzazione compute.instances.list.
I job che caricano file richiedono che l'utente disponga del ruolo Storage Object Creator o dell'accesso in scrittura al bucket di staging di Managed Service for Apache Spark.
L'output del job non è disponibile a meno che l'utente non disponga anche del ruolo Storage Object Visualizzatore o non gli sia stato concesso l'accesso in lettura al bucket di staging per il progetto.

Ambiti di accesso alle VM di Managed Service per Apache Spark

Gli ambiti di accesso VM e i ruoli IAM funzionano insieme per limitare l'accesso VM alle API Google Cloud. Ad esempio, se alle VM del cluster viene concesso solo l'ambito https://www.googleapis.com/auth/storage-full, le applicazioni in esecuzione sulle VM del cluster possono chiamare le API Cloud Storage, ma non sono in grado di effettuare richieste a BigQuery, anche se vengono eseguite come account di servizio VM a cui è stato concesso un ruolo BigQuery con autorizzazioni ampie.

Una best practice consiste nel concedere l'ambito cloud-platform ampio (https://www.googleapis.com/auth/cloud-platform) alle VM, quindi limitare l'accesso alle VM concedendo ruoli IAM specifici al service account VM (vedi Best practice per gli ambiti).

Ambiti VM predefiniti di Managed Service per Apache Spark. Se gli ambiti non vengono specificati durante la creazione di un cluster (vedi gcloud dataproc cluster create --scopes), le VM di Managed Service for Apache Spark hanno il seguente insieme predefinito di ambiti:

https://www.googleapis.com/auth/cloud-platform (clusters created with image version 2.1+).
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/bigtable.admin.table
https://www.googleapis.com/auth/bigtable.data
https://www.googleapis.com/auth/cloud.useraccounts.readonly
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/logging.write

Se specifichi gli ambiti durante la creazione di un cluster, le VM del cluster avranno gli ambiti specificati e il seguente insieme minimo di ambiti richiesti (anche se non li specifichi):

https://www.googleapis.com/auth/cloud-platform (clusters created with image version 2.1+).
https://www.googleapis.com/auth/cloud.useraccounts.readonly
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/logging.write

Gestione dei criteri di autorizzazione IAM

Concedi ruoli IAM alle entità utilizzando le policy di autorizzazione. Puoi ottenere e impostare le policy di autorizzazione utilizzando la console Google Cloud , l'API IAM o Google Cloud CLI.

Per la console Google Cloud , consulta Controllo dell'accesso tramite la console Google Cloud .
Per l'API, vedi Controllo dell'accesso tramite l'API.
Per Google Cloud CLI, consulta Controllo dell'accesso tramite Google Cloud CLI.

Ruoli e autorizzazioni IAM (Identity and Access Management) di Managed Service per Apache Spark Mantieni tutto organizzato con le raccolte Salva e classifica i contenuti in base alle tue preferenze.

Autorizzazioni di Managed Service per Apache Spark

Autorizzazioni richieste per i metodi dei cluster

Autorizzazioni richieste per i metodi dei job

Autorizzazioni richieste per i metodi delle operazioni

Autorizzazioni richieste per i metodi dei modelli di workflow

Autorizzazioni richieste per i metodi dei criteri di scalabilità automatica

Autorizzazioni richieste per i metodi dei gruppi di nodi

Ruoli di Managed Service per Apache Spark

Devi concedere ruoli?

Controllare i ruoli concessi agli utenti

Controllare i ruoli concessi ai service account

Controllare i ruoli concessi a un account di servizio

Cercare ruoli e autorizzazioni di Managed Service per Apache Spark

Dataproc Administrator

Dataproc Editor

Dataproc Hub Agent

Dataproc Serverless Editor

Dataproc Serverless Node.

Dataproc Serverless Viewer

Dataproc Service Agent

Dataproc Viewer

Dataproc Worker

Ruoli di progetto

Riepilogo delle operazioni di Managed Service per Apache Spark e dei ruoli IAM

Ambiti di accesso alle VM di Managed Service per Apache Spark

Gestione dei criteri di autorizzazione IAM

Passaggi successivi

Ruoli e autorizzazioni IAM (Identity and Access Management) di Managed Service per Apache Spark