datafusion/ERR/2022_011

Cloud Data Fusion version >= 6.2.0 has a storage admin role

Product: Cloud Data Fusion
Rule class: ERR - Something that is very likely to be wrong

Description

Grants full control of buckets and objects. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. In Cloud Data Fusion versions 6.2.0 and above, grant the Cloud Storage admin role (roles/storage.admin) to service accounts that are used by Dataproc in your project.

Remediation

Add an IAM policy binding to the Cloud Dataproc service account by specifying a role. The Service Account cannot be created without a role. For example, this can be done using the GCP Console or by running the following gcloud tool command :

gcloud projects add-iam-policy-binding PROJECT_ID --member='serviceAccount:<project-id>-compute@developer.gserviceaccount.com' --role='roles/storage.admin'

Further information

Dataproc service accounts
Granting service account user permission
Cloud Storage admin role
Service agents