Data Fusion by default has access to read and write to Big Query/GCS/Pub-Sub/Spanner/BigTable on the project where the Data Fusion instance is created. If users would like to access other GCP resources or any of above mentioned GCP resources in a different project then they would need to follow the instructions below.
Before you begin
Create a Data Fusion instance
Doing a task
Data Fusion uses service account to access GCP resources in wrangler, preview and for pipelines running on Dataproc. The service account is in the following format service-<some_number>@gcp-sa-datafusion.iam.gserviceaccount.com. Any additional GCP resources that Data Fusion needs access should have appropriate permissions for this service account.
For example, to add access to Datastore follow the steps below
In the GCP Console, open the IAM & Admin page.
In the left bar click IAM
Edit roles for service-<some_number>@gcp-sa-datafusion.iam.gserviceaccount.com
In Edit permissions page, add role Cloud Datastore Owner
Click on Save