Dataproc IAM roles and permissions

Overview

Identity and Access Management (IAM) lets you control user and group access to project resources. This document focuses on the IAM permissions relevant to Dataproc and the IAM roles that grant those permissions.

Dataproc permissions

Dataproc permissions allow users, including service accounts, to perform actions on Dataproc clusters, jobs, operations, and workflow templates. For example, the dataproc.clusters.create permission allows a user to create Dataproc clusters in a project. Typically, you don't grant permissions; instead, you grant roles, which include one or more permissions.

The following tables list the permissions necessary to call Dataproc APIs (methods). The tables are organized according to the APIs associated with each Dataproc resource (clusters, jobs, operations, and workflow templates).

Permission Scope: The scope of Dataproc permissions listed in the following tables is the containing Google Cloud project (cloud-platform scope). See Service account permissions.

Examples:

dataproc.clusters.create permits the creation of Dataproc clusters in the containing project
dataproc.jobs.create permits the submission of Dataproc jobs to Dataproc clusters in the containing project
dataproc.clusters.list permits the listing of details of Dataproc clusters in the containing project

Clusters methods required permissions

Method	Required permissions
projects.regions.clusters.create ^{1, 2}	dataproc.clusters.create
projects.regions.clusters.get	dataproc.clusters.get
projects.regions.clusters.list	dataproc.clusters.list
projects.regions.clusters.patch ^{1, 2, 3}	dataproc.clusters.update
projects.regions.clusters.delete ¹	dataproc.clusters.delete
projects.regions.clusters.start	dataproc.clusters.start
projects.regions.clusters.stop	dataproc.clusters.stop
projects.regions.clusters.getIamPolicy	dataproc.clusters.getIamPolicy
projects.regions.clusters.setIamPolicy	dataproc.clusters.setIamPolicy

Notes:

The dataproc.operations.get permission is also required to get status updates from Google Cloud CLI.
The dataproc.clusters.get permission is also required to get the result of the operation from Google Cloud CLI.
dataproc.autoscalingPolicies.use permission is also required to enable an autoscaling policy on a cluster.

Jobs methods required permissions

Method	Required permissions
projects.regions.jobs.submit ^{1, 2}	dataproc.jobs.create dataproc.clusters.use
projects.regions.jobs.get	dataproc.jobs.get
projects.regions.jobs.list	dataproc.jobs.list
projects.regions.jobs.cancel ¹	dataproc.jobs.cancel
projects.regions.jobs.patch ¹	dataproc.jobs.update
projects.regions.jobs.delete ¹	dataproc.jobs.delete
projects.regions.jobs.getIamPolicy	dataproc.jobs.getIamPolicy
projects.regions.jobs.setIamPolicy	dataproc.jobs.setIamPolicy

Notes:

The Google Cloud CLI also requires dataproc.jobs.get permission for the jobs submit, jobs wait, jobs update, jobs delete, and jobs kill commands.
The gcloud CLI also requires dataproc.clusters.get permission to submit jobs. For an example of setting the permissions necessary for a user to run gcloud dataproc jobs submit on a cluster using Dataproc Granular IAM (see Submitting Jobs with Granular IAM).

Operations methods required permissions

Method	Required permissions
projects.regions.operations.get	dataproc.operations.get
projects.regions.operations.list	dataproc.operations.list
projects.regions.operations.cancel	dataproc.operations.cancel
projects.regions.operations.delete	dataproc.operations.delete
projects.regions.operations.getIamPolicy	dataproc.operations.getIamPolicy
projects.regions.operations.setIamPolicy	dataproc.operations.setIamPolicy

Workflow templates methods required permissions

Method	Required permissions
projects.regions.workflowTemplates.instantiate	dataproc.workflowTemplates.instantiate
projects.regions.workflowTemplates.instantiateInline	dataproc.workflowTemplates.instantiateInline
projects.regions.workflowTemplates.create	dataproc.workflowTemplates.create
projects.regions.workflowTemplates.get	dataproc.workflowTemplates.get
projects.regions.workflowTemplates.list	dataproc.workflowTemplates.list
projects.regions.workflowTemplates.update	dataproc.workflowTemplates.update
projects.regions.workflowTemplates.delete	dataproc.workflowTemplates.delete
projects.regions.workflowTemplates.getIamPolicy	dataproc.workflowTemplates.getIamPolicy
projects.regions.workflowTemplates.setIamPolicy	dataproc.workflowTemplates.setIamPolicy

Notes:

Workflow Template permissions are independent of Cluster and Job permissions. A user without create cluster or submit job permissions may create and instantiate a Workflow Template.
The Google Cloud CLI additionally requires dataproc.operations.get permission to poll for workflow completion.
The dataproc.operations.cancel permission is required to cancel a running workflow.

Autoscaling policies methods required permissions

Method	Required permissions
projects.regions.autoscalingPolicies.create	dataproc.autoscalingPolicies.create
projects.regions.autoscalingPolicies.get	dataproc.autoscalingPolicies.get
projects.regions.autoscalingPolicies.list	dataproc.autoscalingPolicies.list
projects.regions.autoscalingPolicies.update	dataproc.autoscalingPolicies.update
projects.regions.autoscalingPolicies.delete	dataproc.autoscalingPolicies.delete
projects.regions.autoscalingPolicies.getIamPolicy	dataproc.autoscalingPolicies.getIamPolicy
projects.regions.autoscalingPolicies.setIamPolicy	dataproc.autoscalingPolicies.setIamPolicy

Notes:

dataproc.autoscalingPolicies.use permission is required to enable an autoscaling policy on a cluster with a clusters.patch method request.

Node groups methods required permissions

Method	Required permissions
projects.regions.nodeGroups.create	dataproc.nodeGroups.create
projects.regions.nodeGroups.get	dataproc.nodeGroups.get
projects.regions.nodeGroups.resize	dataproc.nodeGroups.update

Dataproc roles

Dataproc IAM roles are a bundle of one or more permissions. You grant roles to users or groups to allow them to perform actions on the Dataproc resources in a project. For example, the Dataproc Viewer role contain get and list permissions, which allow a user to get and list Dataproc clusters, jobs, and operations in a project.

The following table lists the Dataproc IAM roles and the permissions associated with each role.

Role Permissions

Role	Permissions
Dataproc Administrator (`roles/dataproc.admin`) Full control of Dataproc resources.	`compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.setIamPolicy` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.getIamPolicy` `dataproc.operations.list` `dataproc.operations.setIamPolicy` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.getIamPolicy` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.setIamPolicy` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Editor (`roles/dataproc.editor`) Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role: Cluster	`compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.get` `compute.networks.list` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataproc.workflowTemplates.create` `dataproc.workflowTemplates.delete` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.instantiate` `dataproc.workflowTemplates.instantiateInline` `dataproc.workflowTemplates.list` `dataproc.workflowTemplates.update` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Hub Agent (`roles/dataproc.hubAgent`) Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.	`compute.instances.get` `compute.instances.setMetadata` `compute.instances.setTags` `compute.zoneOperations.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.use` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.clusters.update` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.create` `logging.logEntries.list` `logging.logEntries.route` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logScopes.get` `logging.logScopes.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.objects.get` `storage.objects.list`
Dataproc Serverless Editor (`roles/dataproc.serverlessEditor`) Permissions needed to run serverless sessions and batches as a user	`compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Serverless Node. (`roles/dataproc.serverlessNode`) Node access to Dataproc Serverless sessions and batches. Intended for service accounts.	`dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataprocrm.nodePools.*` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.list`
Dataproc Serverless Viewer (`roles/dataproc.serverlessViewer`) Permissions needed to view serverless sessions and batches	`compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.batches.get` `dataproc.batches.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Service Agent (`roles/dataproc.serviceAgent`) Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts. Warning: Do not grant service agent roles to any principals except service agents.	`backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.locations.list` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `compute.acceleratorTypes.` `compute.acceleratorTypes.get` `compute.acceleratorTypes.list` `compute.addresses.createInternal` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.list` `compute.addresses.listEffectiveTags` `compute.addresses.listTagBindings` `compute.addresses.use` `compute.addresses.useInternal` `compute.autoscalers.` `compute.autoscalers.create` `compute.autoscalers.delete` `compute.autoscalers.get` `compute.autoscalers.list` `compute.autoscalers.update` `compute.diskSettings.get` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.startAsyncReplication` `compute.disks.stopAsyncReplication` `compute.disks.stopGroupAsyncReplication` `compute.disks.update` `compute.disks.updateKmsKey` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.get` `compute.firewalls.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.listEffectiveTags` `compute.globalAddresses.listTagBindings` `compute.globalAddresses.use` `compute.globalNetworkEndpointGroups.` `compute.globalNetworkEndpointGroups.attachNetworkEndpoints` `compute.globalNetworkEndpointGroups.create` `compute.globalNetworkEndpointGroups.createTagBinding` `compute.globalNetworkEndpointGroups.delete` `compute.globalNetworkEndpointGroups.deleteTagBinding` `compute.globalNetworkEndpointGroups.detachNetworkEndpoints` `compute.globalNetworkEndpointGroups.get` `compute.globalNetworkEndpointGroups.list` `compute.globalNetworkEndpointGroups.listEffectiveTags` `compute.globalNetworkEndpointGroups.listTagBindings` `compute.globalNetworkEndpointGroups.use` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `compute.instanceGroupManagers.` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.createTagBinding` `compute.instanceGroupManagers.delete` `compute.instanceGroupManagers.deleteTagBinding` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroupManagers.listEffectiveTags` `compute.instanceGroupManagers.listTagBindings` `compute.instanceGroupManagers.update` `compute.instanceGroupManagers.use` `compute.instanceGroups.` `compute.instanceGroups.create` `compute.instanceGroups.createTagBinding` `compute.instanceGroups.delete` `compute.instanceGroups.deleteTagBinding` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceGroups.listEffectiveTags` `compute.instanceGroups.listTagBindings` `compute.instanceGroups.update` `compute.instanceGroups.use` `compute.instanceSettings.get` `compute.instanceTemplates.` `compute.instanceTemplates.create` `compute.instanceTemplates.delete` `compute.instanceTemplates.get` `compute.instanceTemplates.getIamPolicy` `compute.instanceTemplates.list` `compute.instanceTemplates.setIamPolicy` `compute.instanceTemplates.useReadOnly` `compute.instances.` `compute.instances.addAccessConfig` `compute.instances.addNetworkInterface` `compute.instances.addResourcePolicies` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.deleteAccessConfig` `compute.instances.deleteNetworkInterface` `compute.instances.deleteTagBinding` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.getEffectiveFirewalls` `compute.instances.getGuestAttributes` `compute.instances.getIamPolicy` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.getShieldedInstanceIdentity` `compute.instances.getShieldedVmIdentity` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.listReferrers` `compute.instances.listTagBindings` `compute.instances.osAdminLogin` `compute.instances.osLogin` `compute.instances.pscInterfaceCreate` `compute.instances.removeResourcePolicies` `compute.instances.reset` `compute.instances.resume` `compute.instances.sendDiagnosticInterrupt` `compute.instances.setDeletionProtection` `compute.instances.setDiskAutoDelete` `compute.instances.setIamPolicy` `compute.instances.setLabels` `compute.instances.setMachineResources` `compute.instances.setMachineType` `compute.instances.setMetadata` `compute.instances.setMinCpuPlatform` `compute.instances.setName` `compute.instances.setScheduling` `compute.instances.setSecurityPolicy` `compute.instances.setServiceAccount` `compute.instances.setShieldedInstanceIntegrityPolicy` `compute.instances.setShieldedVmIntegrityPolicy` `compute.instances.setTags` `compute.instances.simulateMaintenanceEvent` `compute.instances.start` `compute.instances.startWithEncryptionKey` `compute.instances.stop` `compute.instances.suspend` `compute.instances.update` `compute.instances.updateAccessConfig` `compute.instances.updateDisplayDevice` `compute.instances.updateNetworkInterface` `compute.instances.updateSecurity` `compute.instances.updateShieldedInstanceConfig` `compute.instances.updateShieldedVmConfig` `compute.instances.use` `compute.instances.useReadOnly` `compute.licenses.get` `compute.licenses.list` `compute.machineImages.` `compute.machineImages.create` `compute.machineImages.delete` `compute.machineImages.get` `compute.machineImages.getIamPolicy` `compute.machineImages.list` `compute.machineImages.setIamPolicy` `compute.machineImages.setLabels` `compute.machineImages.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.multiMig.` `compute.multiMig.create` `compute.multiMig.delete` `compute.multiMig.get` `compute.multiMig.list` `compute.networkEndpointGroups.` `compute.networkEndpointGroups.attachNetworkEndpoints` `compute.networkEndpointGroups.create` `compute.networkEndpointGroups.createTagBinding` `compute.networkEndpointGroups.delete` `compute.networkEndpointGroups.deleteTagBinding` `compute.networkEndpointGroups.detachNetworkEndpoints` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networkEndpointGroups.listEffectiveTags` `compute.networkEndpointGroups.listTagBindings` `compute.networkEndpointGroups.use` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listEffectiveTags` `compute.networks.listTagBindings` `compute.networks.use` `compute.networks.useExternalIp` `compute.nodeGroups.get` `compute.nodeTypes.get` `compute.projects.get` `compute.regionFirewallPolicies.create` `compute.regionFirewallPolicies.createTagBinding` `compute.regionFirewallPolicies.get` `compute.regionFirewallPolicies.update` `compute.regionFirewallPolicies.use` `compute.regionNetworkEndpointGroups.` `compute.regionNetworkEndpointGroups.attachNetworkEndpoints` `compute.regionNetworkEndpointGroups.create` `compute.regionNetworkEndpointGroups.createTagBinding` `compute.regionNetworkEndpointGroups.delete` `compute.regionNetworkEndpointGroups.deleteTagBinding` `compute.regionNetworkEndpointGroups.detachNetworkEndpoints` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionNetworkEndpointGroups.listEffectiveTags` `compute.regionNetworkEndpointGroups.listTagBindings` `compute.regionNetworkEndpointGroups.use` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.reservationBlocks.get` `compute.reservationBlocks.list` `compute.reservationSubBlocks.` `compute.reservationSubBlocks.get` `compute.reservationSubBlocks.list` `compute.reservationSubBlocks.performMaintenance` `compute.reservationSubBlocks.reportFaulty` `compute.reservations.get` `compute.reservations.list` `compute.resourcePolicies.list` `compute.resourcePolicies.useReadOnly` `compute.storagePools.get` `compute.storagePools.list` `compute.storagePools.use` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.listEffectiveTags` `compute.subnetworks.listTagBindings` `compute.subnetworks.setPrivateIpGoogleAccess` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetPools.get` `compute.targetPools.list` `compute.targetPools.listEffectiveTags` `compute.targetPools.listTagBindings` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `container.clusterRoleBindings.` `container.clusterRoleBindings.create` `container.clusterRoleBindings.delete` `container.clusterRoleBindings.get` `container.clusterRoleBindings.list` `container.clusterRoleBindings.update` `container.clusterRoles.` `container.clusterRoles.bind` `container.clusterRoles.create` `container.clusterRoles.delete` `container.clusterRoles.escalate` `container.clusterRoles.get` `container.clusterRoles.list` `container.clusterRoles.update` `container.clusters.connect` `container.clusters.get` `container.clusters.update` `container.customResourceDefinitions.create` `container.customResourceDefinitions.delete` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.customResourceDefinitions.update` `container.namespaces.create` `container.namespaces.delete` `container.namespaces.get` `container.namespaces.list` `container.namespaces.update` `container.operations.get` `container.roleBindings.` `container.roleBindings.create` `container.roleBindings.delete` `container.roleBindings.get` `container.roleBindings.list` `container.roleBindings.update` `container.roles.bind` `container.roles.escalate` `dataproc.autoscalingPolicies.create` `dataproc.autoscalingPolicies.delete` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.getIamPolicy` `dataproc.autoscalingPolicies.list` `dataproc.autoscalingPolicies.update` `dataproc.autoscalingPolicies.use` `dataproc.clusters.` `dataproc.clusters.create` `dataproc.clusters.delete` `dataproc.clusters.get` `dataproc.clusters.getIamPolicy` `dataproc.clusters.list` `dataproc.clusters.setIamPolicy` `dataproc.clusters.start` `dataproc.clusters.stop` `dataproc.clusters.update` `dataproc.clusters.use` `dataproc.jobs.` `dataproc.jobs.cancel` `dataproc.jobs.create` `dataproc.jobs.delete` `dataproc.jobs.get` `dataproc.jobs.getIamPolicy` `dataproc.jobs.list` `dataproc.jobs.setIamPolicy` `dataproc.jobs.update` `dataproc.nodeGroups.` `dataproc.nodeGroups.create` `dataproc.nodeGroups.get` `dataproc.nodeGroups.update` `dataproc.operations.cancel` `dataproc.sessionTemplates.get` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `dataprocrm.nodes.update` `dataprocrm.operations.cancel` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `firebase.projects.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `metastore.services.get` `monitoring.timeSeries.create` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `resourcemanager.tagKeys.create` `resourcemanager.tagKeys.get` `resourcemanager.tagKeys.getIamPolicy` `resourcemanager.tagKeys.setIamPolicy` `resourcemanager.tagValues.create` `resourcemanager.tagValues.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.services.use` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Dataproc Viewer (`roles/dataproc.viewer`) Provides read-only access to Dataproc resources. Lowest-level resources where you can grant this role: Cluster	`compute.machineTypes.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataproc.autoscalingPolicies.get` `dataproc.autoscalingPolicies.list` `dataproc.batches.analyze` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.clusters.get` `dataproc.clusters.list` `dataproc.jobs.get` `dataproc.jobs.list` `dataproc.nodeGroups.get` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.workflowTemplates.get` `dataproc.workflowTemplates.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Dataproc Worker (`roles/dataproc.worker`) Provides worker access to Dataproc resources. Intended for service accounts.	`cloudprofiler.profiles.create` `cloudprofiler.profiles.update` `datalineage.locations.processOpenLineageMessage` `dataproc.agents.` `dataproc.agents.create` `dataproc.agents.delete` `dataproc.agents.get` `dataproc.agents.list` `dataproc.agents.update` `dataproc.batches.sparkApplicationWrite` `dataproc.sessions.sparkApplicationWrite` `dataproc.tasks.` `dataproc.tasks.lease` `dataproc.tasks.listInvalidatedLeases` `dataproc.tasks.reportStatus` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.mintOAuthToken` `logging.logEntries.create` `logging.logEntries.route` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `telemetry.metrics.write`

Dataproc Administrator

(roles/dataproc.admin)

Full control of Dataproc resources.

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.*

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.*

dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.*

dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Editor

(roles/dataproc.editor)

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

Lowest-level resources where you can grant this role:

Cluster

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Hub Agent

(roles/dataproc.hubAgent)

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get

compute.instances.setMetadata

compute.instances.setTags

compute.zoneOperations.get

compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.logMetrics.get

logging.logMetrics.list

logging.logScopes.get

logging.logScopes.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataproc Serverless Editor

(roles/dataproc.serverlessEditor)

Permissions needed to run serverless sessions and batches as a user

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Serverless Node.

(roles/dataproc.serverlessNode)

Node access to Dataproc Serverless sessions and batches. Intended for service accounts.

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationRead

dataproc.sessions.sparkApplicationWrite

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.list

Dataproc Serverless Viewer

(roles/dataproc.serverlessViewer)

Permissions needed to view serverless sessions and batches

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.batches.get

dataproc.batches.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Service Agent

(roles/dataproc.serviceAgent)

Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.

backupdr.backupPlanAssociations.createForComputeDisk

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeDisk

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeDisk

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlanAssociations.updateForComputeDisk

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.locations.list

backupdr.operations.get

backupdr.operations.list

backupdr.serviceConfig.initialize

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.diskSettings.get

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.updateKmsKey

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.get

compute.firewalls.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.createTagBinding
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.deleteTagBinding
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.createTagBinding
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.deleteTagBinding
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.listEffectiveTags
compute.instanceGroupManagers.listTagBindings
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.createTagBinding
compute.instanceGroups.delete
compute.instanceGroups.deleteTagBinding
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.listEffectiveTags
compute.instanceGroups.listTagBindings
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addNetworkInterface
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteNetworkInterface
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.pscInterfaceCreate
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.setLabels
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.multiMig.*

compute.multiMig.create
compute.multiMig.delete
compute.multiMig.get
compute.multiMig.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.createTagBinding
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.deleteTagBinding
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.listEffectiveTags
compute.networkEndpointGroups.listTagBindings
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeTypes.get

compute.projects.get

compute.regionFirewallPolicies.create

compute.regionFirewallPolicies.createTagBinding

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.update

compute.regionFirewallPolicies.use

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.createTagBinding
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.deleteTagBinding
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.listEffectiveTags
compute.regionNetworkEndpointGroups.listTagBindings
compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservationBlocks.get

compute.reservationBlocks.list

compute.reservationSubBlocks.*

compute.reservationSubBlocks.get
compute.reservationSubBlocks.list
compute.reservationSubBlocks.performMaintenance
compute.reservationSubBlocks.reportFaulty

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.setPrivateIpGoogleAccess

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

container.clusterRoleBindings.*

container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update

container.clusterRoles.*

container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update

container.clusters.connect

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.namespaces.update

container.operations.get

container.roleBindings.*

container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update

container.roles.bind

container.roles.escalate

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.sessionTemplates.get

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.*

dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.mintOAuthToken
dataprocrm.nodes.update

dataprocrm.operations.cancel

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

metastore.services.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagKeys.create

resourcemanager.tagKeys.get

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.setIamPolicy

resourcemanager.tagValues.create

resourcemanager.tagValues.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Dataproc Viewer

(roles/dataproc.viewer)

Provides read-only access to Dataproc resources.

Lowest-level resources where you can grant this role:

Cluster

compute.machineTypes.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.batches.analyze

dataproc.batches.get

dataproc.batches.list

dataproc.batches.sparkApplicationRead

dataproc.clusters.get

dataproc.clusters.list

dataproc.jobs.get

dataproc.jobs.list

dataproc.nodeGroups.get

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

dataproc.sessions.sparkApplicationRead

dataproc.workflowTemplates.get

dataproc.workflowTemplates.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Worker

(roles/dataproc.worker)

Provides worker access to Dataproc resources. Intended for service accounts.

cloudprofiler.profiles.create

cloudprofiler.profiles.update

datalineage.locations.processOpenLineageMessage

dataproc.agents.*

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update

dataproc.batches.sparkApplicationWrite

dataproc.sessions.sparkApplicationWrite

dataproc.tasks.*

dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.mintOAuthToken

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.overrideUnlockedRetention

storage.objects.restore

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

telemetry.metrics.write

Notes:

compute permissions are needed or recommended to create and view Dataproc clusters when using the Google Cloud console or the gcloud CLI Google Cloud CLI.
To allow a user to upload files, grant the Storage Object Creator role. To allow a user to view job output, grant the Storage Object Viewer role.
A user must have monitoring.timeSeries.list permission in order to view graphs on the Google Cloud console→Dataproc→Cluster details Overview tab.
A user must have compute.instances.list permission in order to view instance status and the master instance SSH menu on the Google Cloud console→Dataproc→Cluster details VM Instances tab. For information on Compute Engine roles, see Compute Engine→Available IAM roles).
To create a cluster with a user-specified service account, the specified service account must have all permissions granted by the Dataproc Worker role, which include access to the Dataproc staging and temp buckets. Additional roles may be required depending on configured features. See Create a cluster with a custom VM service account for more information.

Project roles

You can also set permissions at the project level by using the IAM Project roles. The following table lists permissions associated with IAM Project roles:

Project Role	Permissions
Project Viewer	All project permissions for read-only actions that preserve state (get, list)
Project Editor	All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use, cancel, stop, start)
Project Owner	All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing

IAM roles and Dataproc operations summary

The following table lists Dataproc operations associated with project and Dataproc roles.

Operation	Project Editor	Project Viewer	Dataproc Admin	Dataproc Editor	Dataproc Viewer
Get/Set Dataproc IAM permissions	No	No	Yes	No	No
Create cluster	Yes	No	Yes	Yes	No
List clusters	Yes	Yes	Yes	Yes	Yes
Get cluster details	Yes	Yes	Yes ^{1, 2}	Yes ^{1, 2}	Yes ^{1, 2}
Update cluster	Yes	No	Yes	Yes	No
Delete cluster	Yes	No	Yes	Yes	No
Start/Stop cluster	Yes	No	Yes	Yes	No
Submit job	Yes	No	Yes ³	Yes ³	No
List jobs	Yes	Yes	Yes	Yes	Yes
Get job details	Yes	Yes	Yes ⁴	Yes ⁴	Yes ⁴
Cancel job	Yes	No	Yes	Yes	No
Delete job	Yes	No	Yes	Yes	No
List operations	Yes	Yes	Yes	Yes	Yes
Get operation details	Yes	Yes	Yes	Yes	Yes
Delete operation	Yes	No	Yes	Yes	No

Notes:

The performance graph is not available unless the user also has a role with the monitoring.timeSeries.list permission.
The list of VMs in the cluster will not include status information or an SSH link for the master instance unless the user also has a role with the compute.instances.list permission.
Jobs that upload files require the user to have the Storage Object Creator role or write access to the Dataproc staging bucket.
Job output is not available unless the user also has the Storage Object Viewer role or has been granted read access to the staging bucket for the project.

Service accounts

When you call Dataproc APIs to perform actions in a project, such as creating VM instances, Dataproc performs the actions on your behalf by using a service account that has the permissions required to perform the actions. For more information, see Dataproc service accounts.

IAM management

You can get and set IAM policies using the Google Cloud console, the IAM API, or the Google Cloud CLI.

For the Google Cloud console, see Access control using the Google Cloud console.
For the API, see Access control using the API.
For the Google Cloud CLI, see Access control using the Google Cloud CLI.

Dataproc IAM roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Overview

Dataproc permissions

Clusters methods required permissions

Jobs methods required permissions

Operations methods required permissions

Workflow templates methods required permissions

Autoscaling policies methods required permissions

Node groups methods required permissions

Dataproc roles

Dataproc Administrator

Dataproc Editor

Dataproc Hub Agent

Dataproc Serverless Editor

Dataproc Serverless Node.

Dataproc Serverless Viewer

Dataproc Service Agent

Dataproc Viewer

Dataproc Worker

Project roles

IAM roles and Dataproc operations summary

Service accounts

IAM management

What's next

Dataproc IAM roles and permissions