Grant Dataform access to BigQuery

This document shows you how to grant the Identity and Access Management (IAM) roles required to execute workflows in BigQuery to service accounts used in Dataform.

About service accounts in Dataform

When you create your first Dataform repository, Dataform automatically generates a default service account. Dataform uses the default service account to interact with BigQuery on your behalf.

Your default Dataform service account ID is in the following format:

service-YOUR_PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.com

Replace YOUR_PROJECT_NUMBER with the numeral ID of your Google Cloud project. You can find your Google Cloud project ID in the Google Cloud console dashboard. For more information, see Identifying projects.

In addition to the default Dataform service account, you can use other service accounts to execute workflows on your behalf. You can configure non-default service accounts:

When you create a Dataform repository or workflow configuration, you can select any service account associated with your Google Cloud project that you have access to. You must configure required permissions for all service accounts associated with your Dataform resources.

Default and non-default service accounts used in Dataform require the following BigQuery IAM roles to be able to execute workflows in BigQuery:

Additionally, you need to grant the default Dataform service account Service Account Token Creator(roles/iam.serviceAccountTokenCreator) access to any non-default service accounts that you want to use in Dataform.

Before you begin

  1. In the Google Cloud console, go to the Dataform page.

    Go to the Dataform page

  2. Select or create a repository.

  3. If you use VPC Service Controls, exclude BigQuery resources from your VPC Service Controls perimeter to use Dataform. Dataform does not support VPC Service Controls at this time.

    Alternatively, you can develop SQL workflows locally with the Dataform CLI.

Grant required BigQuery roles to a service account used in Dataform

To grant the required BigQuery IAM roles to your default Dataform service account, or a non-default service account that you want to use in Dataform, follow these steps:

  1. In the Google Cloud console, go to the IAM page.

    Go to the IAM page

  2. Click Grant Access.

  3. In the New principals field, enter the service account ID.

  4. In the Select a role drop-down list, select the BigQuery Job User role.

  5. Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Editor role.

  6. Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Viewer role.

  7. Click Save.

Grant token creation access to a non-default service account

To use a non-default service account in Dataform, the default Dataform service account must be able to access the non-default service account. To grant this access, you need to add the default Dataform service account as a principal to the non-default service account with the Service Account Token Creator role.

To grant the default Dataform service account access to a non-default service account, follow these steps:

  1. In the Google Cloud console, go to the IAM page.

    Go to the IAM page

  2. Click Service Accounts, and select a service account.

  3. Click Permissions > Grant Access.

  4. In the New principals field, enter your default Dataform service account ID.

  5. In the Select a role drop-down list, select the Service Account Token Creator role.

  6. Click Save.

What's next