Getting "Current user cannot act as service account [email protected]" when trying to launch dataflow job from cloud function (Node.js)

Question

I am trying to run a classic template based Dataflow job from Cloud function(Node.js) and getting this error - Current user cannot act as service account ([email protected])

var opts = {
            projectId: "project-id",
            location: "asia-south1",
            gcsPath: "gs://dataflow-templates/latest/Cloud_Bigtable_to_GCS_Avro",
            resource: {
                "jobName": "bt-backup-to-gcs-avro" + Date.now(),
                "environment": {
                    "bypassTempDirValidation": false,
                    "serviceAccountEmail": "[email protected]",
                    "machineType": "n1-standard-8",
                    "tempLocation": "gs://some-bucket/some-dir",
                    "subnetwork": "subnetwork-val",
                    "network": "network-val",
                    "ipConfiguration": "WORKER_IP_UNSPECIFIED",
                    "additionalExperiments": []
                },
                "parameters": {
                    "bigtableProjectId": "project-id",
                    "bigtableInstanceId": "instance-id",
                    "bigtableTableId": "table-id",
                    "outputDirectory": "gs://some-bucket/some-dir",
                    "filenamePrefix": "table-backup-"
                }
            }
        };
        dataflow.projects.locations.templates.launch(opts, (err, result) => {
            if (err) {
                throw err;
            }
            console.log(result.data);
        });

Answer 1

You will need to give that permission to the service account that runs the Cloud Function. Here is the documentation on how to do so: https://cloud.google.com/functions/docs/securing/function-identity

Answer 2

In order to run any Google Cloud Platform process using your own service account, the user starting the process needs to be a Service Account User for that service account.

For your particular need, the service account used by your Cloud Function will need the Service Account User access.

Granting the Service Account User role to the Cloud Function service account can be accomplished by either:

1. Granting the account the Service Account User role at the GCP project level. This can be done through the IAM settings found in the GCP console.
2. Granting the Cloud Function service account the Service Account User role on the Dataflow service account itself. This too can be done through the console by managing the permissions on the service account.

Further information can be found in the Google Cloud Platform documentation:

You can grant the Service Account User role (roles/iam.serviceAccountUser) at the project level for all service accounts in the project, or at the service account level.

• Granting the Service Account User role to a user for a project gives the user access to all service accounts in the project, including service accounts that might be created in the future.

• Granting the Service Account User role to a user for a specific service account gives a user access to only that service account.