This page explains the service accounts for the following Tabular Workflows:
- Tabular Workflow for End-to-End AutoML
- Tabular Workflow for Forecasting
- Tabular Workflow for TabNet
- Tabular Workflow for Wide & Deep
- Prophet
- ARIMA+
Service accounts for Tabular Workflow for End-to-End AutoML
This workflow uses the following service accounts:
| Service account | Description | Default principal | Default name | Can be overridden |
|---|---|---|---|---|
| Service account for Vertex AI Pipelines | The service account that runs the pipeline | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| Service account for Dataflow worker | The service account that runs the Dataflow workers | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| AI Platform Service Agent | The service account that runs the training containers. | service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com |
AI Platform Service Agent |
No |
Some of the service accounts can be changed to an account of your choice. See Train a model with End-to-End AutoML for instructions specific to Google Cloud console or the API.
Service account for Vertex AI Pipelines
You must grant the following roles to the service account for Vertex AI Pipelines in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI User |
aiplatform.metadataStores.get allows the service account to create a pipeline job. aiplatform.models.upload allows the service account to upload the model.
|
| Storage Object Admin | The storage.objects.get and storage.objects.create permissions of Storage Object Admin allow the service account to access the bucket for the root directory of the pipeline job. The service account needs these permissions even if you are not using a Cloud Storage data source. |
| Dataflow Developer | dataflow.jobs.create allow the service account to create Dataflow jobs during evaluation. |
| Service Account User |
iam.serviceAccounts.actAs allows the Vertex AI Pipelines service account to act as the Dataflow worker service account during evaluation.
|
Service account for Dataflow worker
You must grant the following roles to the service account for Dataflow worker in the pipeline project:
| Role | Permissions |
|---|---|
| Dataflow Worker | This role allows the service account to access the resources needed to run Dataflow jobs. |
| Storage Object Admin | This role allows the service account to access Cloud Storage buckets. The service account needs these permissions even if you are not using a Cloud Storage data source. This role includes all of the permissions granted by the Storage Object Viewer role. |
You must additionally grant the following roles to the Dataflow worker service account based on your data source type:
| Data source | Role | Where to grant the role |
|---|---|---|
| Standard BigQuery table | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Job User | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the table belongs to | |
| BigQuery view of a standard BigQuery table | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Job User | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | |
| BigQuery Data Viewer | Project that the table belongs to | |
| BigQuery external table that has a source Cloud Storage file | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Job User | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the external table belongs to | |
| Storage Object Viewer | Project that the source file belongs to | |
| BigQuery view of a BigQuery external table that has a source Cloud Storage file | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Job User | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | |
| BigQuery Data Viewer | Project that the external table belongs to | |
| Storage Object Viewer | Project that the source file belongs to | |
| Cloud Storage file | Storage Object Viewer | Project that the file belongs to |
The following table provides an explanation of these roles:
| Role | Permissions |
|---|---|
| BigQuery Data Editor | The bigquery.jobs.get and bigquery.jobs.create permissions allow the service account to use BigQuery datasets. bigquery.jobs.create allows the service account to create
temporary BigQuery datasets during statistics and example generation. This role includes all of the permissions granted by the BigQuery Data Viewer role. |
| BigQuery Job User | bigquery.jobs.create allows the service account to use a BigQuery dataset. |
| BigQuery Data Viewer | This role provides the service account with access to the BigQuery dataset. |
| Storage Object Viewer | storage.objects.get allows the service account to access a Cloud Storage file. |
AI Platform Service Agent
You must ensure that the following role is granted to the AI Platform Service Agent in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI Service Agent |
This role grants permissions for service agents. These permissions include the storage.object.get permission and access rights to container images in the Artifact Registry repository.
|
If your data source is a BigQuery dataset from another project, you must grant the following roles to the AI Platform Service Agent in the dataset project:
| Role | Permissions |
|---|---|
| BigQuery Data Viewer | bigquery.tables.get allows the service account to get information on the BigQuery dataset before launching a Dataflow job. |
If your data source is a Cloud Storage file from another project, you must grant the following roles to the AI Platform Service Agent in the file project:
| Storage Object Viewer | storage.objects.list allows the service account to get information on the Cloud Storage file before launching a Dataflow job. |
Service accounts for Tabular Workflow for Forecasting
This workflow uses the following service accounts:
| Service account | Description | Default principal | Default name | Can be overridden |
|---|---|---|---|---|
| Service account for Vertex AI Pipelines | The service account that runs the pipeline | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| Service account for Dataflow worker | The service account that runs the Dataflow workers | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| AI Platform Service Agent | The service account that runs the training containers. | service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com |
AI Platform Service Agent |
No |
Some of the service accounts can be changed to an account of your choice. To learn more, see Train a model with Tabular Workflow for Forecasting.
Service account for Vertex AI Pipelines
You must grant the following roles to the service account for Vertex AI Pipelines in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI User |
aiplatform.metadataStores.get allows the service account to create a pipeline job. aiplatform.models.upload allows the service account to upload the model.
|
| BigQuery Data Editor | bigquery.tables.create allows the service account to create temporary tables for Feature Transform Engine prior to launching a Dataflow job. The service account needs this permission even if your data source is not a BigQuery dataset. This role includes all of the permissions granted by the BigQuery Data Viewer role. |
| BigQuery Job User | bigquery.jobs.create allows the service account to run BigQuery jobs for Feature Transform Engine prior to launching a Dataflow job. The service account needs this permission even if your data source is not a BigQuery dataset. |
| Service Account User |
iam.serviceAccounts.actAs allows the Vertex AI Pipelines service account to act as the Dataflow worker service account during evaluation.
|
| Dataflow Developer | This role provides access to resources needed to run Dataflow jobs. |
You must additionally grant the following roles to the Vertex AI Pipelines service account based on your data source type:
| Data source | Role | Where to grant the role | |
|---|---|---|---|
| Cloud Storage file | Storage Admin | Project that the file belongs to | |
| Standard BigQuery table | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the table belongs to | ||
| BigQuery view of a standard BigQuery table | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | ||
| BigQuery Data Viewer | Project that the table belongs to | ||
| BigQuery external table that has a source Cloud Storage file | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the external table belongs to | ||
| Storage Object Viewer | Project that the source file belongs to | ||
| BigQuery view of a BigQuery external table that has a source Cloud Storage file | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | ||
| BigQuery Data Viewer | Project that the external table belongs to | ||
| Storage Object Viewer | Project that the source file belongs to |
The following table provides an explanation of these roles:
| BigQuery Data Viewer | bigquery.tables.get provides the service account with access to the dataset. The service account needs this access prior to launching the Dataflow job in the Feature Transform Engine step of the pipeline. |
| Storage Object Viewer | storage.objects.get allows the service account to access the source Cloud Storage file. |
| Storage Object Admin | The storage.objects.get and storage.objects.create permissions allow the service account to access the bucket for the root directory of the pipeline job. The service account needs these permissions in the pipeline project even if your data source is not a Cloud Storage file. This role includes all of the permissions granted by the Storage Object Viewer role. |
| Storage Admin | storage.buckets.* permissions allow the service account to validate the Cloud Storage bucket in the Feature Transform Engine step of the pipeline. This role includes all of the permissions granted by the Storage Object Admin role. |
If you are performing model evaluation, you must provide a BigQuery dataset to serve as a destination for the predicted examples. In the project that contains this dataset, you must grant the following roles to the Vertex AI Pipelines service account:
| Role | Permissions |
|---|---|
| BigQuery Data Viewer | This role lets the service account view BigQuery data. |
| BigQuery Job User | bigquery.jobs.create lets the service account create BigQuery jobs. |
Service account for Dataflow worker
You must grant the following roles to the service account for Dataflow worker in the pipeline project:
| Role | Permissions |
|---|---|
| Storage Object Admin | This role allows the service account to access Cloud Storage buckets. The service account needs these permissions even if your data source is not a Cloud Storage file. |
| BigQuery Job User | bigquery.jobs.create allows the service account to perform the Feature Transform Engine step of the pipeline. The service account needs this permission even if your data source is not a BigQuery dataset. |
| Dataflow Worker | The service account needs all of the permissions granted by this role. |
You must additionally grant the following roles to the Dataflow worker service account based on your data source type:
| Data source | Role | Where to grant the role |
|---|---|---|
| Standard BigQuery table | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the table belongs to | |
| BigQuery view of a standard BigQuery table | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the view belongs to | |
| BigQuery Data Viewer | Project that the table belongs to | |
| BigQuery external table that has a source Cloud Storage file | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the external table belongs to | |
| Storage Object Viewer | Project that the source file belongs to | |
| BigQuery view of a BigQuery external table that has a source Cloud Storage file | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the view belongs to | |
| BigQuery Data Viewer | Project that the external table belongs to | |
| Storage Object Viewer | Project that the source file belongs to | |
| Cloud Storage file | BigQuery Data Viewer | Project that runs the pipeline |
The following table provides an explanation of these roles:
| Role | Permissions |
|---|---|
| BigQuery Data Viewer | bigquery.tables.get provides access to the dataset in the Feature Transform Engine step of the pipeline. The service account needs this permission even if your data source is not a BigQuery dataset. |
| BigQuery Data Editor | This role lets the service account query the table and create temporary tables during the Feature Transform Engine step of the pipeline. This role includes all of the permissions granted by the BigQuery Data Viewer role. |
| Storage Object Viewer | storage.objects.get lets the service account access a Cloud Storage file. |
AI Platform Service Agent
You must ensure that the following role is granted to the AI Platform Service Agent in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI Service Agent |
This role grants permissions for service agents. These permissions include the storage.object.get permission and access rights to container images in the Artifact Registry repository.
|
If you are performing model evaluation, you must provide a BigQuery dataset to serve as a destination for the predicted examples. In the project that contains this dataset, you must grant the following roles to the Vertex AI Pipelines service account:
| Role | Permissions |
|---|---|
| BigQuery Data Editor | This role lets the service account edit BigQuery data. |
| BigQuery Job User | bigquery.jobs.create lets the service account create BigQuery jobs. |
Service accounts for Tabular Workflow for TabNet, and Tabular Workflow for Wide & Deep, and Prophet
These workflows use the following service accounts:
| Service account | Description | Default principal | Default name | Can be overridden |
|---|---|---|---|---|
| Service account for Vertex AI Pipelines | The service account that runs the pipeline | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| Service account for Dataflow worker | The service account that runs the Dataflow workers | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| AI Platform Service Agent | The service account that runs the training containers. | service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com |
AI Platform Service Agent |
No |
Some of the service accounts can be changed to an account of your choice. For Tabular Workflow for TabNet instructions, see Train a model with TabNet. For Tabular Workflow for Wide & Deep instructions, see Train a model with Wide & Deep. For Prophet instructions, see Forecasting with Prophet.
Service account for Vertex AI Pipelines
You must grant the following roles to the service account for Vertex AI Pipelines in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI User |
aiplatform.metadataStores.get allows the service account to create a pipeline job. aiplatform.models.upload allows the service account to upload the model.
|
| BigQuery Data Editor | bigquery.tables.create allows the service account to create temporary tables for Feature Transform Engine prior to launching a Dataflow job. The service account needs this permission even if your data source is not a BigQuery dataset. This role includes all of the permissions granted by the BigQuery Data Viewer role. |
| BigQuery Job User | bigquery.jobs.create allows the service account to run BigQuery jobs for Feature Transform Engine prior to launching a Dataflow job. The service account needs this permission even if your data source is not a BigQuery dataset. |
| Service Account User |
iam.serviceAccounts.actAs allows the Vertex AI Pipelines service account to act as the Dataflow worker service account during evaluation.
|
| Dataflow Developer | This role provides access to resources needed to run Dataflow jobs. |
You must additionally grant the following roles to the Vertex AI Pipelines service account based on your data source type:
| Data source | Role | Where to grant the role | |
|---|---|---|---|
| Cloud Storage file | Storage Admin | Project that the file belongs to | |
| Standard BigQuery table | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the table belongs to | ||
| BigQuery view of a standard BigQuery table | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | ||
| BigQuery Data Viewer | Project that the table belongs to | ||
| BigQuery external table that has a source Cloud Storage file | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the external table belongs to | ||
| Storage Object Viewer | Project that the source file belongs to | ||
| BigQuery view of a BigQuery external table that has a source Cloud Storage file | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | ||
| BigQuery Data Viewer | Project that the external table belongs to | ||
| Storage Object Viewer | Project that the source file belongs to |
The following table provides an explanation of these roles:
| BigQuery Data Viewer | bigquery.tables.get provides the service account with access to the dataset. The service account needs this access prior to launching the Dataflow job in the Feature Transform Engine step of the pipeline. |
| Storage Object Viewer | storage.objects.get allows the service account to access the source Cloud Storage file. |
| Storage Object Admin | The storage.objects.get and storage.objects.create permissions allow the service account to access the bucket for the root directory of the pipeline job. The service account needs these permissions in the pipeline project even if your data source is not a Cloud Storage file. This role includes all of the permissions granted by the Storage Object Viewer role. |
| Storage Admin | storage.buckets.* permissions allow the service account to validate the Cloud Storage bucket in the Feature Transform Engine step of the pipeline. This role includes all of the permissions granted by the Storage Object Admin role. |
Service account for Dataflow worker
You must grant the following roles to the service account for Dataflow worker in the pipeline project:
| Role | Permissions |
|---|---|
| Storage Object Admin | This role allows the service account to access Cloud Storage buckets. The service account needs these permissions even if your data source is not a Cloud Storage file. |
| BigQuery Job User | bigquery.jobs.create allows the service account to perform the Feature Transform Engine step of the pipeline. The service account needs this permission even if your data source is not a BigQuery dataset. |
| Dataflow Worker | The service account needs all of the permissions granted by this role. |
You must additionally grant the following roles to the Dataflow worker service account based on your data source type:
| Data source | Role | Where to grant the role |
|---|---|---|
| Standard BigQuery table | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the table belongs to | |
| BigQuery view of a standard BigQuery table | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the view belongs to | |
| BigQuery Data Viewer | Project that the table belongs to | |
| BigQuery external table that has a source Cloud Storage file | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the external table belongs to | |
| Storage Object Viewer | Project that the source file belongs to | |
| BigQuery view of a BigQuery external table that has a source Cloud Storage file | BigQuery Data Editor | Project that runs the pipeline |
| BigQuery Data Viewer | Project that the view belongs to | |
| BigQuery Data Viewer | Project that the external table belongs to | |
| Storage Object Viewer | Project that the source file belongs to | |
| Cloud Storage file | BigQuery Data Viewer | Project that runs the pipeline |
The following table provides an explanation of these roles:
| Role | Permissions |
|---|---|
| BigQuery Data Viewer | bigquery.tables.get provides access to the dataset in the Feature Transform Engine step of the pipeline. The service account needs this permission even if your data source is not a BigQuery dataset. |
| BigQuery Data Editor | This role lets the service account query the table and create temporary tables during the Feature Transform Engine step of the pipeline. This role includes all of the permissions granted by the BigQuery Data Viewer role. |
| Storage Object Viewer | storage.objects.get lets the service account access a Cloud Storage file. |
AI Platform Service Agent
You must ensure that the following role is granted to the AI Platform Service Agent in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI Service Agent |
This role grants permissions for service agents. These permissions include the storage.object.get permission and access rights to container images in the Artifact Registry repository.
|
Service accounts for ARIMA+
This workflow uses the following service accounts:
| Service account | Description | Default principal | Default name | Can be overridden |
|---|---|---|---|---|
| Service account for Vertex AI Pipelines | The service account that runs the pipeline | PROJECT_NUMBER-compute@developer.gserviceaccount.com |
Compute Engine default service account |
Yes |
| AI Platform Service Agent | The service account that runs the training containers. | service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com |
AI Platform Service Agent |
No |
The Vertex AI Pipelines service account can be changed to an account of your choice. See Forecasting with ARIMA+ for more information.
Service account for Vertex AI Pipelines
You must grant the following roles to the service account for Vertex AI Pipelines in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI User |
aiplatform.metadataStores.get allows the service account to create a pipeline job. aiplatform.models.upload allows the service account to upload the model.
|
| BigQuery Data Editor | bigquery.tables.create allows the service account to create temporary tables for Feature Transform Engine prior to launching a Dataflow job. The service account needs this permission even if your data source is not a BigQuery dataset. This role includes all of the permissions granted by the BigQuery Data Viewer role. |
| BigQuery Job User | bigquery.jobs.create allows the service account to run BigQuery jobs for Feature Transform Engine prior to launching a Dataflow job. The service account needs this permission even if your data source is not a BigQuery dataset. |
| Service Account User |
iam.serviceAccounts.actAs allows the Vertex AI Pipelines service account to act as the Dataflow worker service account during evaluation.
|
| Dataflow Developer | This role provides access to resources needed to run Dataflow jobs. |
You must additionally grant the following roles to the Vertex AI Pipelines service account based on your data source type:
| Data source | Role | Where to grant the role | |
|---|---|---|---|
| Cloud Storage file | Storage Admin | Project that the file belongs to | |
| Standard BigQuery table | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the table belongs to | ||
| BigQuery view of a standard BigQuery table | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | ||
| BigQuery Data Viewer | Project that the table belongs to | ||
| BigQuery external table that has a source Cloud Storage file | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the external table belongs to | ||
| Storage Object Viewer | Project that the source file belongs to | ||
| BigQuery view of a BigQuery external table that has a source Cloud Storage file | Storage Object Admin | Project that runs the pipeline | |
| BigQuery Data Viewer | Project that the view belongs to | ||
| BigQuery Data Viewer | Project that the external table belongs to | ||
| Storage Object Viewer | Project that the source file belongs to |
The following table provides an explanation of these roles:
| BigQuery Data Viewer | bigquery.tables.get provides the service account with access to the dataset. The service account needs this access prior to launching the Dataflow job in the Feature Transform Engine step of the pipeline. |
| Storage Object Viewer | storage.objects.get allows the service account to access the source Cloud Storage file. |
| Storage Object Admin | The storage.objects.get and storage.objects.create permissions allow the service account to access the bucket for the root directory of the pipeline job. The service account needs these permissions in the pipeline project even if your data source is not a Cloud Storage file. This role includes all of the permissions granted by the Storage Object Viewer role. |
| Storage Admin | storage.buckets.* permissions allow the service account to validate the Cloud Storage bucket in the Feature Transform Engine step of the pipeline. This role includes all of the permissions granted by the Storage Object Admin role. |
AI Platform Service Agent
You must ensure that the following role is granted to the AI Platform Service Agent in the pipeline project:
| Role | Permissions |
|---|---|
| Vertex AI Service Agent |
This role grants permissions for service agents. These permissions include the storage.object.get permission and access rights to container images in the Artifact Registry repository.
|