initialization-actions icon indicating copy to clipboard operation
initialization-actions copied to clipboard
verified publisher icon GoogleCloudDataproc

GCS / BigQuery user account impersonation support

Open cjac opened this issue 1 year ago • 0 comments

Please add test to exercise an authorization delegation use case

https://issuetracker.google.com/issues/384553523

500 data scientists a lot of groups (100+) cannot create 100 service accounts

When I create a cluster, it uses project service account

Instead, it should use my own credentials for interacting with GCS or BigQuery

The way it was working 1.5+ years ago

grant service account access to GCS bucket

when reads happen, read should be executed as my user, not the service account

authorization should be granted by groups

when I create a cluster, I should be able to access the next service using my own principal rather than granting the permissions to the service account.

for personal cluster, only I will have access to. Access will only come from my user. There is no shared concept in this personal cluster.

For general purpose (not personal cluster), access is determined at the time of request (GCS, BigQuery, whatever). The user who launched the job will be the user as whom the service requests are issued.

cjac avatar Dec 16 '24 21:12 cjac