This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Unable to create a dataflow template in GCP due to ActAs permission

Posted on 04-03-2024 06:39 AM
DikshaBhatia
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to create a data flow template from spanner to big query but and have created a new service account for the same with below roles 
BigQuery Data Editor
BigQuery Job User
BigQuery User
Cloud KMS CryptoKey Encrypter/Decrypter
Cloud Spanner
Database User
Cloud Spanner Viewer
Dataflow Developer
Dataflow Worker
Service Account User
Storage Admin
Storage Object Creator
Storage Object User
but when trrying to create a tempalte i am getting below. error 
Current user cannot act as service account svc@.iam.gserviceaccount.com. If the service account belongs to the current project, please grant your user account one of [Owner, Editor, Service Account User| roles, or any other role that includes the iam.serviceAccounts.actAs permission. See https://cloud.google.com/iam/docs/service-accounts-actas for additional details. If the service account belongs to another project, please disable the iam.disableCrossProjectServiceAccountUsage org-policy constraint on the project the service account belongs to. See https://cloud.google.com/iam/docs/attach-service-accounts #attaching-different-project for additional details. Causes: (7ffa8022b66f4940): Current user cannot act as service account svc@.iam.gserviceaccount.com. If the service account belongs to the current project, please grant your user account one of [Owner, Editor, Service Account User] roles, or any other role that includes the iam.serviceAccounts.actAs permission. See https://cloud.google.com/iam/docs/service-accounts-actas for additional details. If the service account belongs to another project, please disable the iam.disableCrossProjectServiceAccountUsage org-policy constraint on the project the service account belongs to.  
I verified disableCrossProjectServiceAccountUsage is not enabled

0 1 76
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @DikshaBhatia,

Welcome to the Google Cloud Community!

For the error code:

 

ERROR: (gcloud.dataflow.jobs.run) PERMISSION_DENIED: (**********): Current user cannot act as service account {SERVICE-ACCOUNT}.
Causes: (**********): Current user cannot act as service account {SERVICE-ACCOUNT}.

 

Kindly run through and recreate the service account by following this documentation - Specify a user-managed worker service account.

Additionally, make sure that your user account must have the iam.serviceAccounts.actAs permission and that the service account in the same project as the Dataflow job, else, you'll need to configure the service account if you're going to use it across different projects.

Let me know if it worked. Thank you!

 

Top Solution Authors
View all