Note
Service agent == Google-managed service account
-
Service agents are created automatically as you enable and/or begin to use Google Cloud APIs.
-
Service agents often require and are automatically granted predefined IAM roles they need to manage the resources for the APIs they represent.
Sometimes, one or both of these does not happen when an API is enabled on a Google Cloud project. If that happens, don't "power cycle" the API off and on. There is a better way.
Warning
All examples in this note are for Dataflow. Adjust for your required service and role(s).
To trigger the creation of a service agent in your default project, you can run the following command.
set -u
projectID=$(gcloud config get project)
gcloud beta services identity create \
--service=dataflow.googleapis.com \
--project=$projectIDTo grant the service agent necessary permissions on your default project, you can run the following command.
set -u
projectID=$(gcloud config get project)
projectNumber=$(gcloud projects describe $projectID --format='value(projectNumber)')
serviceAgent="service-${projectNumber}@dataflow-service-producer-prod.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding $projectID \
--member="serviceAccount:$serviceAgent" \
--role="roles/dataflow.serviceAgent" \
--condition=NoneIn this note we:
- Created the Dataflow service agent if it didn't already exist.
- Granted the service agent the necessary permissions to do its job.
For more information, see:
- Create and grant roles to service agents
- Service Agents docs page contains the full list of service agents and the roles they require.
😊