Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account

问题

I'm tring to run a pipeline from Cloud Data Fusion, but im receiving the following error:

io.cdap.cdap.runtime.spi.provisioner.dataproc.DataprocRuntimeException: Dataproc operation failure: INVALID_ARGUMENT: User not authorized to act as service account 'XXXXXXXX-compute@developer.gserviceaccount.com'. To act as a service account, user must have one of [Owner, Editor, Service Account Actor] roles. See https://cloud.google.com/iam/docs/understanding-service-accounts for additional details.

Someone already encountered this error?

回答1:

This error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the DataProc job.

In order to overcome this error, you need to go to the IAM Policy Console and give the Service Account User role, as described here, to the current user/service account you are using to run the job. As exemplified below:

1. Go to the IAM & Admin Console
2. Click on IAM
3. Select the member you are using to run your job
4. Click on the pen icon in the right side of the member's info
5. Add the Service Account user role

Pointing out some important topics, service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.

Note: in step 3, you can also give to a particular user(email) the roles/iam.serviceAccountUser by clicking on +ADD (in top of the console). Then, writing the email and selecting the permission. Although, I must stress that this permission would be given at a project level. Thus, this user will be able to impersonate any of the existent Service Accounts.

回答2:

I would like to add that the Service Account User role should be added to the Cloud Data Fusion Service Account that was automatically generated by Data Fusion when the API was enabled.

In my case the member is called something like:

service-############@gcp-sa-datafusion.iam.gserviceaccount.com

And it's name is: Cloud Data Fusion Service Account

回答3:

In my case, the error was misleading. Even though the error stated that the issue was with missing privileges for 'XXXXXXXX-compute@developer.gserviceaccount.com' user, the actual problem was only fixed after I granted the role to service-############@gcp-sa-datafusion.iam.gserviceaccount.com user. I followed the steps that @Alexandre Moraes provided to grant the correct level of access to the Cloud Data Fusion Service Account.

回答4:

Yes, the error message is pointing to wrong- service account( i.e. 5086XXXX8XXX-compute@developer.gserviceaccount.com'). Actually the service account that was running the process was different. It could be found from logs or authorizationInfo attribute of request in the logs(as shown in attached image):

CreateCluster
us-west1:cdap-getmember-xxxxxxx-2fff-11eb-98ba-6a77bxxxx9dc
service-5086XXXX8XXX@gcp-sa-datafusion.iam.gserviceaccount.com

You need to add role(any one of OWNER,EDITOR,SERVICE ACCOUNT) to this account (i.e. service-5086XXXX8XXX@gcp-sa-datafusion.iam.gserviceaccount.com).

来源：https://stackoverflow.com/questions/63222520/dataproc-operation-failure-invalid-argument-user-not-authorized-to-act-as-serv