"Managed Service for Apache Spark" is the new name for the product formerly known as "Dataproc on Compute Engine" (cluster deployment) and "Google Cloud Serverless for Apache Spark" (serverless deployment).

Workforce access to Managed Service for Apache Spark Component Gateway

Background

Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize workforce employees, partners, and contractors to Google Cloud services.

If Workforce Identity Federation is configured in your project, external identity users can use the Google Cloud console, Google Cloud CLI, and the Managed Service for Apache Spark API to access most Managed Service for Apache Spark resources and features, except the following:

Managed Service for Apache Spark on GKE
Managed Service for Apache Spark Personal Authentication
Managed Service for Apache Spark Service Account Based Secure Multi-tenancy
The Output section in the Batch and Job details pages and the Recommended Alerts section in the Cluster and Job list pages in the Google Cloud console.

Use workforce identify federation with the Managed Service for Apache Spark Component Gateway

Configure workforce identify federation by following the Configure Workforce Identity Federation guide.
Grant external identity users the dataproc.clusters.use role to allow access the Managed Service for Apache Spark Component Gateway (see Grant IAM roles to principals).
- For instructions on how to represent external identities in IAM policies, see Represent workforce pool users in IAM policies.
Create a Managed Service for Apache Spark cluster with Component Gateway enabled.

Access cluster web interfaces

See Viewing and Accessing Component Gateway URLs, and note the following differences for external identity users:

Only users that are authenticated with external identities can access the URL for external identities. If a user visits the URL for external identities while not logged in, they are redirected to the authentication portal where they specify their workforce pool provider name. Next, they are redirected to their identity provider to sign in. Then, they are redirected to the component web interface.

External identities URLs have the following format:

https://UNIQUE_ID-dot-dataproc.byoid.googleusercontent.com

What's next

Create a cluster with Managed Service for Apache Spark components.