Note
Service agent == Google-managed service account
-
In Google Cloud, project-level, folder-level, and organization-level service agents are created automatically as you enable and use Google Cloud services.
-
Sometimes, these service agents are also automatically granted roles that allow them to create and access resources on your behalf.
Sometimes, either of these things is not done for some reason. When that happens, don't "power cycle" the API off and on. There is a better way.
Warning
All examples in this note are for Dataflow. Adjust for your required service and role(s).
To trigger the creation of a service agent in your default project, you can run the following command.
set -u
projectID=$(gcloud config get project)
gcloud beta services identity create \
--service=dataflow.googleapis.com \
--project=$projectIDTo grant the service agent necessary permissions on your default project, you can run the following command.
set -u
projectID=$(gcloud config get project)
projectNumber=$(gcloud projects describe $projectID --format='value(projectNumber)')
serviceAgent="service-${projectNumber}@dataflow-service-producer-prod.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding $projectID \
--member="serviceAccount:$serviceAgent" \
--role="roles/dataflow.serviceAgent" \
--condition=NoneIn this note we:
- Created the Dataflow service agent if it didn't already exist.
- Granted the service agent the necessary permissions to do its job.
For more information, see: Create and grant roles to service agents
😊