Grant Dataform required access

This document shows you how to grant the Identity and Access Management (IAM) roles required by Dataform service accounts to execute workflows in BigQuery.

About service accounts in Dataform

When you create your first Dataform repository, Dataform automatically generates a default service account. Dataform uses the default service account to interact with BigQuery on your behalf. The default Dataform service account is not granted any BigQuery roles or permissions by default. You must grant the required access to the default Dataform service account.

Your default Dataform service account ID is in the following format:

service-YOUR_PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.com

Replace YOUR_PROJECT_NUMBER with the numeral ID of your Google Cloud project. You can find your Google Cloud project ID in the Google Cloud console dashboard. For more information, see Identifying projects.

In addition to the default Dataform service account, you can use other service accounts to execute workflows on your behalf. You can configure non-default service accounts:

When you create a Dataform repository or workflow configuration, you can select any service account associated with your Google Cloud project that you have access to. You must configure required permissions for all service accounts associated with your Dataform resources.

Required roles for Dataform service accounts

Default and non-default service accounts used in Dataform require the following BigQuery IAM roles to be able to execute workflows in BigQuery:

Additionally, you need to grant the default Dataform service account Service Account Token Creator(roles/iam.serviceAccountTokenCreator) access to any non-default service accounts that you want to use in Dataform.

Before you begin

  1. In the Google Cloud console, go to the Dataform page.

    Go to the Dataform page

  2. Select or create a repository.

Grant required BigQuery roles to a service account used in Dataform

To grant the required BigQuery IAM roles to your default Dataform service account, or a non-default service account that you want to use in Dataform, follow these steps:

  1. In the Google Cloud console, go to the IAM page.

    Go to the IAM page

  2. Click Grant Access.

  3. In the New principals field, enter the service account ID.

  4. In the Select a role drop-down list, select the BigQuery Job User role.

  5. Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Editor role.

  6. Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Viewer role.

  7. Click Save.

Grant token creation access to a non-default service account

To use a non-default service account in Dataform, the default Dataform service account must be able to access the non-default service account. To grant this access, you need to add the default Dataform service account as a principal to the non-default service account with the Service Account Token Creator role.

To grant the default Dataform service account access to a non-default service account, follow these steps:

  1. In the Google Cloud console, go to IAM > Service accounts.

    Go to the Service accounts page

  2. Select a project.

  3. On the Service accounts for project "YOUR_PROJECT_NAME" page, select a service account.

  4. Go to Permissions, and then click Grant Access.

  5. In the New principals field, enter your default Dataform service account ID.

  6. In the Select a role drop-down list, select the Service Account Token Creator role.

  7. Click Save.

What's next