Solved: Issue with Dataform Task Trigger and Custom Servic...

Winni · 10-04-2024 07:33 AM

Hi,

I am currently working a custom service account and have granted it BigQuery and Service Account Token Creator roles. However, when I try to trigger a Dataform task, I encounter the following error:

[default dataform service account] cannot actAs [custom service account], please grant the Service Account Token Creator role: generic::permission_denied: IAM permission denied for service

Additionally, I cannot find any information regarding to Dataform default service account on the IAM page, even though it does appear when I use the `gcloud auth list` command in the Google SDK.

I would greatly appreciate any guidance on why the custom service account is unable to trigger the Dataform task, and why the Datafrom default service account is not visible on the IAM page.

Thank you for your help.

caryna

Hi @Winni,

Welcome to Google Cloud Community!

The error you're seeing indicates that you need to assign the "Service Account Token Creator" role to the Dataform default service account to allow it to impersonate and use your custom service accounts. Additionally, it may be helpful to review this related post in the Google Cloud Community for more context.

Meanwhile, the reason you can’t see the Dataform default service account on the IAM page is that, by default, these accounts aren’t displayed since they aren’t created within your project, even if they have been granted roles in it. To make them visible, simply check the Include Google-provided role grants box in the Google Cloud Console.

Screenshot 2024-10-08 6.42.26 AM.png

For further information, refer to the documentation on service account impersonation to understand how this process works in more detail.

I hope the above information is helpful.

View solution in original post

caryna