Hi Team,
In restarting / re-spawning our Beam Enrich in GCP, we got we this error relating to IAM:
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "(6d70648afd89c9a1): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com. Enforced by Org Policy constraint constraints/dataflow.enforceComputeDefaultServiceAccountCheck. https://cloud.google.com/iam/docs/service-accounts-actas Causes: (6d70648afd89ce83): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com.",
"reason" : "forbidden"
} ],
"message" : "(6d70648afd89c9a1): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com. Enforced by Org Policy constraint constraints/dataflow.enforceComputeDefaultServiceAccountCheck. https://cloud.google.com/iam/docs/service-accounts-actas Causes: (6d70648afd89ce83): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com.",
"status" : "PERMISSION_DENIED"
}
Beam Enrich is version: beam-enrich-1.0.0-rc2
Last restart of the pipeline was in Feb, I guess Google might have changed Dataflow policies sometime this year. We tried multiple policies for the flagged GCP IAM service account. It currently has these roles now:
The pipeline only required the ‘Editor’ role to run before.
Is there something that we’re missing here?
Thanks in advance.