datafusion/ERR/2022_007
Product: Cloud Data Fusion
Rule class: ERR - Something that is very likely to be wrong
Description
The Google-managed service account, called the Cloud Data Fusion API Service Agent, is created by Cloud Data Fusion to gain access to customer resources so that it can act on the customer’s behalf. It is used in the tenant project to access customer project resources. It is also know as the Cloud Data Fusion Service Account. Although a Cloud Data Fusion instance has Cloud Data Fusion Service Account associated with it the Project may or may not contain a Cloud Data Fusion Service Account. The reason could be either an accidental deletion by user via Terraform, CLI or console.
In this case the Cloud Data Fusion has no way of knowing about this deletion which may to an improper operation of CDF instance.
Remediation
Create a Cloud Data Fusion service account by specifying a role. The Service Account cannot be created without a role. For example, this can be done using the GCP Console or by running the following gcloud tool command :
gcloud projects add-iam-policy-binding PROJECT_ID --member='serviceAccount:service-PROJECT_ID@gcp-sa-datafusion.iam.gserviceaccount.com' --role='roles/datafusion.serviceAgent'
where $PROJECT_ID should be the id of the project in which the Data Fusion instance is running.