Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account

Question

I'm tring to run a pipeline from Cloud Data Fusion, but im receiving the following error:

io.cdap.cdap.runtime.spi.provisioner.dataproc.DataprocRuntimeException: Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account '[email protected]'. To act as a service account, user must have one of [Owner, Editor, Service Account Actor] roles. See https://cloud.google.com/iam/docs/understanding-service-accounts for additional details.

Someone already encountered this error?

Answer 1

This error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the DataProc job.

In order to overcome this error, you need to go to the IAM Policy Console and give the Service Account User role, as described here, to the current user/service account you are using to run the job. As exemplified below:

1. Go to the IAM & Admin Console
2. Click on IAM
3. Select the member you are using to run your job
4. Click on the pen icon in the right side of the member's info
5. Add the Service Account user role

Pointing out some important topics, service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.

Note: in step 3, you can also give to a particular user(email) the roles/iam.serviceAccountUser by clicking on +ADD (in top of the console). Then, writing the email and selecting the permission. Although, I must stress that this permission would be given at a project level. Thus, this user will be able to impersonate any of the existent Service Accounts.