Your Dataflow pipeline runs under a user-managed service account called df-sa@example-project. The job must write its results to a Cloud Storage bucket named analytics-output. You already granted your team the Service Account User (roles/iam.serviceAccountUser) role on df-sa, but the pipeline still fails with "403 permission denied" when it tries to upload objects to the bucket. What IAM change will let the job succeed while following the principle of least privilege?
Bind the Dataflow worker default service account to roles/iam.serviceAccountUser on df-sa@example-project.
Give df-sa@example-project the Storage Object Admin role (roles/storage.objectAdmin) at the project level.
Add an IAM policy binding that grants df-sa@example-project the Storage Object Creator role (roles/storage.objectCreator) on the analytics-output bucket.
Grant the Storage Object Creator role on df-sa@example-project so that any principal using the account can create objects.
Granting a role to the service account on the target resource lets the workload act on that resource. The pipeline needs the Storage Objects Create permission on the analytics-output bucket. Binding the df-sa service account to the predefined Storage Object Creator role on that bucket supplies exactly that permission without additional, unnecessary access. Roles granted on the service account (such as Service Account User) control who may impersonate or manage the account; they do not give the service account itself any access to other resources. Granting object-level roles at the project level or administering the service account resource would not enable writes to the bucket.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Storage Object Creator role in GCP?
Open an interactive chat with Bash
What does 'principle of least privilege' mean in IAM roles?
Open an interactive chat with Bash
How is an IAM policy binding applied to a target resource?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What does the Storage Object Creator role allow?
Open an interactive chat with Bash
Why is granting roles on service accounts different from granting roles to service accounts?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .