About service accounts in Dataform
When you create your first Dataform repository, Dataform automatically generates a default service account. Dataform uses the default service account to interact with BigQuery on your behalf.
Your default Dataform service account ID is in the following format:
service-YOUR_PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.com
Replace YOUR_PROJECT_NUMBER with the numeral ID of your Google Cloud project. You can find your Google Cloud project ID in the Google Cloud console dashboard. For more information, see Identifying projects.
In addition to the default Dataform service account, you can use other service accounts to execute workflows on your behalf. You can configure non-default service accounts:
At the repository level, to run all workflows in a given repository.
Individually for each workflow configuration.
When you create a Dataform repository or workflow configuration, you can select any service account associated with your Google Cloud project that you have access to. You must configure required permissions for all service accounts associated with your Dataform resources.
Default and non-default service accounts used in Dataform require the following BigQuery IAM roles to be able to execute workflows in BigQuery:
- BigQuery Data Editor on projects to which Dataform needs both read and write access. They usually include the project hosting your Dataform repository.
- BigQuery Data Viewer on projects to which Dataform needs read only access.
- BigQuery Job User on the project hosting your Dataform repository.
- BigQuery Data Owner if you want to query BigQuery datasets.
Additionally, you need to grant the default Dataform service account
Service Account Token Creator(roles/iam.serviceAccountTokenCreator) access to any non-default
service accounts that you want to use in Dataform.
Before you begin
In the Google Cloud console, go to the Dataform page.
Select or create a repository.
If you use VPC Service Controls, exclude BigQuery resources from your VPC Service Controls perimeter to use Dataform. Dataform does not support VPC Service Controls at this time.
Alternatively, you can develop SQL workflows locally with the Dataform CLI.
Grant required BigQuery roles to a service account used in Dataform
To grant the required BigQuery IAM roles to your default Dataform service account, or a non-default service account that you want to use in Dataform, follow these steps:
In the Google Cloud console, go to the IAM page.
Click Grant Access.
In the New principals field, enter the service account ID.
In the Select a role drop-down list, select the BigQuery Job User role.
Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Editor role.
Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Viewer role.
Click Save.
Grant token creation access to a non-default service account
To use a non-default service account in Dataform, the default Dataform service account must be able to access the non-default service account. To grant this access, you need to add the default Dataform service account as a principal to the non-default service account with the Service Account Token Creator role.
To grant the default Dataform service account access to a non-default service account, follow these steps:
In the Google Cloud console, go to the IAM page.
Click Service Accounts, and select a service account.
Click Permissions > Grant Access.
In the New principals field, enter your default Dataform service account ID.
In the Select a role drop-down list, select the Service Account Token Creator role.
Click Save.
What's next
- To learn more about BigQuery IAM roles and permissions, see Access control with IAM.
- To learn more about granting granular permissions to BigQuery datasets, see Controlling access to datasets.
- To learn more about granting granular permissions to BigQuery tables, see Controlling access to tables and views.
- To learn how to trigger an execution in Dataform, see Trigger execution.