Grant Dataform access to BigQuery

This document shows you how to grant your Dataform service account the Identity and Access Management (IAM) roles required to execute workflows in BigQuery.

About the Dataform service account and required roles

When you create your first Dataform repository, Dataform automatically generates a service account. Dataform uses the service account to interact with BigQuery on your behalf.

Your Dataform service account ID is in the following format:

service-YOUR_PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.com

Replace YOUR_PROJECT_NUMBER with the numeral ID of your Google Cloud project. You can find your Google Cloud project ID in the Google Cloud console dashboard. For more information, see Identifying projects.

The Dataform service account requires the following BigQuery IAM roles to be able to execute workflows in BigQuery:

• BigQuery Data Editor on projects to which Dataform needs both read and write access. They usually include the project hosting your Dataform repository.
• BigQuery Data Viewer on projects to which Dataform needs read only access.
• BigQuery Job User on the project hosting your Dataform repository.

Before you begin

1. In the Google Cloud console, go to the Dataform page.

   Go to the Dataform page

2. Select or create a repository.

Grant your Dataform service account the required BigQuery roles

To grant the Dataform service account the roles required to execute workflows in BigQuery, follow these steps:

1. In the Google Cloud console, go to the IAM page.

   Go to the IAM page

2. Click Add.

3. In the New principals field, enter your Dataform service account ID.

4. In the Select a role drop-down list, select the BigQuery Job User role.

5. Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Editor role.

6. Click Add another role, and then in the Select a role drop-down list, select the BigQuery Data Viewer role.

7. Click Save.

What's next

• To learn more about BigQuery IAM roles and permissions, see Access control with IAM.
• To learn more about granting granular permissions to BigQuery datasets, see Controlling access to datasets.
• To learn more about granting granular permissions to BigQuery tables, see Controlling access to tables and views.
• To learn how to trigger an execution in Dataform, see Trigger execution.