The strict act-as mode enables an additional security check for the following user actions in Dataform:
- Creating or updating a repository
- Creating or updating a workflow configuration
- Creating a workflow invocation
- Updating a release configuration
This additional security check requires that the user performing these actions
has the iam.serviceAccounts.actAs permission on the effective service
account, which is the service account whose credentials are used to
execute workflows. For more information on service accounts, see
Attach service accounts to resources.
You can enable this mode in the following ways:
- When creating a repository
- When updating an existing repository with the
strict_act_as_checksrepository flag
Required roles
To get the permissions that
you need to complete the tasks in this document,
ask your administrator to grant you the
Service Account User (roles/iam.serviceAccountUser)
IAM role on the custom service account.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Determine the effective service account
You can determine the effective service account that is executing the workflows according to the resource type and the following conditions:
| Resource type | Effective service account |
|---|---|
| Repositories | If you select a service account when you create the repository, then the Otherwise, this defaults to the Dataform service account. |
| Workflow configuration | You can select a service account when you create the workflow configuration. Otherwise, this defaults to the repository's Dataform service account. |
| Workflow invocation | If the compilation result is If you create a workflow invocation from a compilation result, then the Otherwise, this defaults to the repository's Dataform service account. |
Grant the Service Account User IAM role
The Service Account User
role (roles/iam.serviceAccountUser) contains the iam.serviceAccounts.actAs
permission, which is required for strict act-as mode. When you use the
Dataform API, you must have the Service Account User role granted
for the effective service account based on the
projects.locations.repositories method
that you're calling:
createorpatch- If the
Repository.ServiceAccountproperty is set, then you should have the Service Account User role granted for that property. - If you're calling the
patchmethod, then you should have the Service Account User role granted for all the effective service accounts in all the workflow configurations in the repository.
- If the
workflowConfigs.createorworkflowConfigs.patch- You should have the Service Account User role granted for the effective service account used in the workflow configuration.
releaseConfigs.patch- You should have the Service Account User role granted for all the effective service accounts used in the workflow configurations using this release configuration.
workflowInvocations.create- You should have the Service Account User role granted for the effective service account used in the workflow invocation.
For more information, see the required roles for creating a workflow configuration and the required roles for creating a release configuration.
Automatic releases for repositories
When act-as mode is enabled, automatic releases are disabled for Dataform repository release configurations. This doesn't apply to repositories connected to third-party repositories.
In addition, if you enable act-as mode, there are checks on the repository for whether it has an automatic release configuration set using the Cron schedule. This doesn't apply to repositories connected to third-party repositories.
What's next
- To learn more how to create a repository, see Create a repository.
- To learn how to create a workflow configuration, see Schedule runs.
- To learn how to create a release configuration, see Configure compilations.