datafusion/ERR/2022_004

Cloud Data Fusion Service Account has necessary permissions

Product: Cloud Data Fusion
Rule class: ERR - Something that is very likely to be wrong

Description

The Google-managed service account, called the Cloud Data Fusion API Service Agent, is created by Cloud Data Fusion to gain access to customer resources so that it can act on the customer’s behalf. It is used in the tenant project to access customer project resources.

The roles/datafusion.serviceAgent role is automatically assigned to this account during Cloud Data Fusion API activation and shouldn’t be revoked for Cloud Data Fusion to function correctly.

Remediation

Grant roles/datafusion.serviceAgent to the Cloud Data Fusion service account. For example, this can be done using the GCP Console or by running the following gcloud tool command :

gcloud projects add-iam-policy-binding PROJECT_ID --member='serviceAccount:service-PROJECT_ID@gcp-sa-datafusion.iam.gserviceaccount.com' --role='roles/datafusion.serviceAgent'

where PROJECT_ID could be either host or service project id depending on whether Data Fusion Instance exists at a Service or Host project.

Further information

Learn more about Granting service account user permission

Learn more about Cloud Data Fusion service accounts

Learn more about Service agents