Minimum permissions required for the Cloud Data Fusion Service Account

This document explains which permissions to give to theCloud Data Fusion Service Account when you create a custom role thatlets it access your resources.

Note: The principal name for theCloud Data Fusion Service Accountisservice-CUSTOMER_PROJECT_NUMBER@gcp-sa-datafusion.iam.gserviceaccount.com

By default, theCloud Data Fusion API Service Agent(roles/datafusion.serviceAgent) Identity and Access Management role is assigned to theCloud Data Fusion Service Account. This role is highly permissive.Instead, you can use custom roles to provide only the permissions that theservice account principal needs.

For more information about the Cloud Data Fusion service accounts, seeService accounts in Cloud Data Fusion.

For more information about creating custom roles, seeCreate a custom role.

Required permissions for the Cloud Data Fusion Service Account

When you create a custom role for the Cloud Data Fusion Service Account,give the following permissions based on the tasks you plan to perform in yourinstance. This lets Cloud Data Fusion access your resources.

TaskPermissions required
Get Dataproc clusters
  • dataproc.clusters.get
Create Cloud Storage bucket per Cloud Data Fusion instance and upload files for Dataproc job execution
  • storage.buckets.get
  • storage.objects.get
  • storage.buckets.create
  • storage.objects.create
  • storage.objects.update
  • storage.buckets.delete
  • storage.objects.delete
Publish logs to Cloud Logging
  • logging.logEntries.create
Publish Cloud metrics to Cloud Monitoring
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.timeSeries.create
Create a Cloud Data Fusion instance withVPC peering
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.removePeering
  • compute.networks.update
  • compute.networks.get
Create a Cloud Data Fusion instance with DNS peering zone between customer and tenant projects
  • dns.managedZones.create
  • dns.managedZones.delete
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
Create a Cloud Data Fusion instance withPrivate Service Connect
  • compute.networkAttachments.get
  • compute.networkAttachments.update
  • compute.networkAttachments.list

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.