- A role is a set of one or more permissions. A role is assigned to users and groups.
- A permission grants access to a resource. Different permissions can grant different access levels to the same resource.
For more information on the service accounts used by to manage security and permissions while running jobs, see https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#security_and_permissions_for_pipelines_on_google_cloud_platform.
Tools for manage IAM policies:
- Google Cloud Console
- gcloud CLI
, the following roles are required. Below, you can review each required role, its purpose, and the permissions that are enabled by it.
|Role||Use||Permissions and roles|
Enables a user to run in a project See below.
Enables the platform to access and modify datasets and storage and to run and manage jobs on behalf of the user within the project
NOTE: When the product is enabled within a project, this role is granted by the project owner as part of the enablement process. For more information, see Enable or Disable Dataprep.
roles/dataprep.projects.user IAM Role
NOTE: These permissions provide basic access to the . Additional features within the product or available through external integrations are considered optional.
List available machine types for jobs
These permissions are required for connections that are common in .
Read and write to
, the base storage for
|storage.buckets.list||Required at project level|
|storage.buckets.get||Get bucket metadata||Required for staging bucket only|
|storage.objects.create||Create files||Required for staging bucket only|
|storage.objects.delete||Delete files||Required for staging bucket only|
|storage.objects.get||Read files||Required for staging bucket only|
|storage.objects.list||List files||Required for staging bucket only|
Read and write to BigQuery, including views and custom SQL:
For Custom SQL query support and launching jobs with BigQuery data sources.
|Required at project level to use BigQuery|
|bigquery.datasets.get||List and get metadata about datasets in project||Can be applied at project level or at individual dataset level|
|bigquery.tables.create||Execute custom queries||Can be applied at project level or at individual dataset level|
|bigquery.tables.get||Create tables in dataset||Can be applied at project level or at individual dataset level|
|bigquery.tables.get||Get table metadata||Can be applied at project level or at individual dataset level|
|bigquery.tables.getData||get table contents||Can be applied at project level or at individual dataset level|
|bigquery.tables.list||List tables in dataset||Can be applied at project level or at individual dataset level|
Additional permissions may be required to use specific features. Individual users may be required to permit
access when the feature is first used.
Enables users to cancel their jobs in progress. It is not required for the product to work but may be helpful to add via IAM roles.
NOTE: A user may be able cancel a job from the , even though the user is not permitted to cancel the job in the running environment. The service account associated with the user's may have the appropriate permissions, but the user's personal account does not. For more information, see Google Service Account Management.
BigQuery publishing options
The following permissions are required to publish to BigQuery:
|bigquery.datasets.create||Create datasets in BigQuery|
|bigquery.datasets.update||Update datasets in BigQuery|
The following permission is not required to publish to BigQuery.
If this permission is not granted to a user, that user requires one of the following permissions to drop or truncate table data in BigQuery:
- The user is granted
owner role on the project.
- The user is granted bigquery.tables.delete for the project.
NOTE: If a user does not have this permission when publishing to a table, the user receives a warning that the target dataset is read-only.
Google Sheets access
|D s ed|
For more information, see Import Google Sheets Data.
Additional Permissions for Cloud IAM
|D s ed|
NOTE: Any change in a user's permissions in must be reflected in the service account assigned to the user.
To run jobs on Every , one of the following must be applied:
User must have
iam.serviceAccounts.actAs permission specified at the project level or in the default compute service account:
Project owners require no additional permissions on the projects that they own. job requires the use of a service account through which the job is submitted to for execution. Each project user must have access to a service account. For more information, see Google Service Account Management.
In addition to the IAM roles above, users must also be granted the following to enable data access based on their Cloud IAM: