Impersonation in Metastore
Note
This feature is in the Preview stage.
Impersonation allows a Metastore cluster to work with cloud resources on behalf of a service account.
By default, a Metastore cluster does not have permissions to access user resources. To provide access to such resources, create a service account with the required roles and attach it to the Metastore cluster when creating the cluster. After that, Metastore will have access to user resources by authorizing on behalf of a service account.
The roles required for the service account depend on which service you are going to use Metastore with. For example, you need the logging.writer role to configure cluster log export in Yandex Cloud Logging, and the monitoring.editor, to use Yandex Monitoring dashboards.
When creating a service account for Metastore, we recommend using the managed-metastore.integrationProvider role as it already includes the logging.writer and monitoring.editor roles. For more information about this role, see this reference.