Insights uses per-project service accounts to access resources in the customer project—such as audio and transcript files in your Google Cloud storage bucket—during analysis. Each project's service account is automatically created the first time you access any user resources. By default, the service account is automatically given some default access—such as Google Cloud storage access—to the project.
After you create your first analysis, you should see the service account permissions in your project's IAM settings. If you accidentally remove or don't see the service account permissions, then you can manually give it access to the correct permissions. The account always has the form:
service-<project_number>@gcp-sa-contactcenterinsights.iam.gserviceaccount.com
To change an account's permissions manually, navigate to the IAM panel of the Insights console and give that user the contactcenterinsights.serviceAgent permission. The service account can also be given fine-grained permissions, though too many of these can lead to instability.
If you see an error message like the following, first verify that your Insights service account exists in your IAM configuration.
"message": "IAM permission 'dialogflow.participants.suggest' on 'projects/<project>/locations/global/conversations/fake_conversation_id/participants/fake_participant_id' denied."
Then, make sure Include Google-provided role grants is checked: