The strict act-as mode enables an additional security check for the following user actions in Dataform:
- Creating or updating a repository
- Creating or updating a workflow configuration
- Creating a workflow invocation
- Updating a release configuration
This additional security check requires that the user performing these actions
has the iam.serviceAccounts.actAs permission on the effective service account,
which is the service account whose credentials are used to run workflows.
For more information, see
Attach service accounts to resources.
You can enable these permissions in the following ways:
- When creating a repository
- When updating an existing repository with the
strict_act_as_checksrepository flag
Required roles
To get the permissions that
you need to complete the tasks in this document,
ask your administrator to grant you the
Service Account User (roles/iam.serviceAccountUser)
IAM role on the custom service account.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Determine the effective service account
You can determine the effective service account that is running the workflows according to the resource type and the following conditions:
| Resource type | Effective service account |
|---|---|
| Repositories | If you select a custom service account when you create the repository, then the Otherwise, this defaults to the Dataform service agent. |
| Workflow configuration | You can select a custom service account when you create the workflow configuration. Otherwise, this defaults to the repository's Dataform service agent. |
| Workflow invocation | If the compilation result is If you create a workflow invocation from a compilation result, then the Otherwise, this defaults to the repository's Dataform service agent. |
Grant the Service Account User IAM role
The Service Account User
role (roles/iam.serviceAccountUser) contains the iam.serviceAccounts.actAs
permission, which is required for the strict act-as mode. When you use the
Dataform API, you must have the Service Account User role granted
for the effective service account based on the
projects.locations.repositories method
that you're calling:
createorpatch- If the
Repository.ServiceAccountproperty is set, then you should have the Service Account User role granted for that property. - If you're calling the
patchmethod, then you should have the Service Account User role granted for all the effective service accounts in all the workflow configurations in the repository.
- If the
workflowConfigs.createorworkflowConfigs.patch- You should have the Service Account User role granted for the effective service account used in the workflow configuration.
releaseConfigs.patch- You should have the Service Account User role granted for all the effective service accounts used in the workflow configurations using this release configuration.
workflowInvocations.create- You should have the Service Account User role granted for the effective service account used in the workflow invocation.
To grant the Service Account User role to a custom service account, follow these steps:
In the Google Cloud console, go to IAM > Service accounts.
Select a project.
On the Service accounts for project "PROJECT_NAME" page, select your custom service account.
Go to Principals with access, and then click Grant Access.
In the New principals field, enter your default Dataform service agent ID.
Your default Dataform service agent ID is in the following format:
service-PROJECT_NUMBER@gcp-sa-dataform.iam.gserviceaccount.comIn the Select a role list, select the Service Account User role.
Click Save.
For more information, see the required roles for creating a workflow configuration and the required roles for creating a release configuration.
Effects of strict act-as mode on automatic releases and runs
When strict act-as mode is enabled, it impacts automatic repository releases and automatic workflow executions as follows:
For repositories that aren't connected to third-party repositories:
- You can't set a
Cron schedule
for automatic releases in release configurations. This is enforced to prevent
code changes made by a user who might lack the necessary
iam.serviceAccounts.actAspermissions on downstream service accounts from being automatically deployed. - Scheduled workflow runs using a Cron schedule in workflow configurations remain enabled. For these automated runs to succeed, you must grant the default
Dataform service agent the
iam.serviceAccounts.actAspermission on the effective service account specified in the workflow configuration.
For repositories that are connected to third-party repositories:
- Scheduled releases and scheduled workflow runs are permitted.
- To enable an automatic release from a release configuration or an automatic
run from a workflow configuration, you must grant the default Dataform service agent the
iam.serviceAccounts.actAspermission on the relevant effective service account:- For an automatic release configuration, grant the permission on the effective service accounts of all the workflow configurations that are triggered by this release configuration.
- For an automatic workflow configuration, grant the permission on the effective service account used by that workflow configuration.
What's next
- To learn how to create a repository, see Create a repository.
- To learn more about how Dataform work with BigQuery, see Overview of workflows.
- To learn how to create a workflow configuration, see Schedule runs.
- To learn how to create a release configuration, see Configure compilations.