Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This document has moved to cloud.google.com: Granting service account user permission. This KB will be removed.

This page describes how to grant service account user permission to the Cloud Data Fusion. When Cloud Data Fusion provisions a Dataproc cluster, a user managed service account can be specified. That service account will be used in the virtual machines in that Dataproc cluster. If the user doesn’t specify any service account, the default Google-managed Compute Engine service account will be used. Regardless of what service account is being used in the Dataproc cluster, Cloud Data Fusion needs to have permission to use that service account.

Without the service account user permission, Cloud Data Fusion cannot provision a Dataproc cluster, resulting in the following error when trying to execute a data pipeline:

PROVISION task failed in REQUESTING_CREATE state for program run [pipeline-name] due to Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account '[service-account-name]'

Before you begin

Please read the Dataproc service accounts documentation if you want to provide a user managed service account in the compute profile in Cloud Data Fusion.

Copy the Cloud Data Fusion service account

  1. In the GCP Console, go to the IAM page.

    Go to the IAM page

  2. From the project selector at the top of the page, choose the project, folder, or organization on which the Cloud Data Fusion instance belongs to.

  3. Find and copy the Cloud Data Fusion service account. It is in the format of service-[project-number]@gcp-sa-datafusion.iam.gserviceaccount.com.

Granting Service Account User Permission

  1. In the GCP Console, go to the Service Accounts page.

    Go to the Service Accounts page

  2. Click Select a project, choose a project where the service account you want to use for the Dataproc cluster is located, and click Open.

  3. Select the service account to be used in the Dataproc cluster.

    1. By default, the default compute engine service account will be used. It is in the format of [project-number]-compute@developer.gserviceaccount.com.

  4. If the info panel is not already visible, click Show info panel. The panel displays a list of roles that have been granted on the service account.

  5. Click Add Member.

  6. Paste the Cloud Data Fusion service account copied previously in to the New members box.

  7. Select the Service Account User role.

  8. Click Save.

  • No labels