IAM Error in restarting Beam Enrich Pipeline

Hi Team,

In restarting / re-spawning our Beam Enrich in GCP, we got we this error relating to IAM:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "(6d70648afd89c9a1): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com. Enforced by Org Policy constraint constraints/dataflow.enforceComputeDefaultServiceAccountCheck. https://cloud.google.com/iam/docs/service-accounts-actas Causes: (6d70648afd89ce83): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com.",
    "reason" : "forbidden"
  } ],
  "message" : "(6d70648afd89c9a1): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com. Enforced by Org Policy constraint constraints/dataflow.enforceComputeDefaultServiceAccountCheck. https://cloud.google.com/iam/docs/service-accounts-actas Causes: (6d70648afd89ce83): Current user cannot act as service account REDACTED-compute@developer.gserviceaccount.com.",
  "status" : "PERMISSION_DENIED"
}

Beam Enrich is version: beam-enrich-1.0.0-rc2

Last restart of the pipeline was in Feb, I guess Google might have changed Dataflow policies sometime this year. We tried multiple policies for the flagged GCP IAM service account. It currently has these roles now:

The pipeline only required the ‘Editor’ role to run before.

Is there something that we’re missing here?

Thanks in advance.

Hi @dana.redena,

I am not aware of the requirements for the job having changed of the top of my head. But from the error message could this be something coming from an internal policy change?

Enforced by Org Policy constraint constraints/dataflow.enforceComputeDefaultServiceAccountCheck.

Is it possible someone has created an Org wide policy which is external to the Project you are running within that is breaking your Dataflow Job?

Cheers,
Josh

Hi Josh,

Turns out that the IAM being flagged in the error is not the culprit (it flags the default compute engine IAM). Had to assign DataFlow Worker access as documented by GCP to the GOOGLE_APPLICATION_CREDENTIALS IAM instead.

Got a lead from this stackoverflow answer:

Posting in case other people might encounter similar errors.

Thanks,
Dana

1 Like

Thanks for following up @dana.redena!