Asked 1 month ago by NeptunianProbe691
How to Resolve a GCP 403 Error for iam.serviceAccounts.actAs in a Cross-Project BigQuery Scheduled Query?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I'm testing the permissions needed to create a scheduled query on BigQuery.
The scheduled query is programmatically created in project1 using a service account (sa1@project1.iam.gserviceaccount.com) that I can impersonate. The query will run as a different service account (sa2@project2.iam.gserviceaccount.com) in project2.
I granted the following roles:
- BigQuery Admin to
sa1@project1.iam.gserviceaccount.comonproject1 - Service Account User to
sa1@project1.iam.gserviceaccount.comonsa2@project2.iam.gserviceaccount.com - BigQuery Data Editor to
sa2@project2.iam.gserviceaccount.comon the target dataset (test_dataset) - BigQuery Job User to
sa2@project2.iam.gserviceaccount.comonproject1 - BigQuery Resource Viewer to
sa2@project2.iam.gserviceaccount.comon the organization (needed for theregion-us.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATIONview)
I'm running the following command while connected to project1 (the target dataset is in this project). I also tried using Terraform with the same error message.
BASHgcloud config set auth/impersonate_service_account sa1@project1.iam.gserviceaccount.com bq mk \ --transfer_config \ --target_dataset=test_dataset \ --display_name='test bq scheduled query' \ --params='{"destination_table_template":"test_jobs", "write_disposition":"WRITE_APPEND", "query":"SELECT job_id FROM `region-us.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION` WHERE DATE_TRUNC(creation_time, DAY) = '2025-01-22'"}' \ --data_source=scheduled_query \ --service_account_name=sa2@project2.iam.gserviceaccount.com
The output is:
BASHUpdated property [auth/impersonate_service_account]. WARNING: This command is using service account impersonation. All API calls will be executed as [sa1@project1.iam.gserviceaccount.com]. BigQuery error in mk operation: Requesting user sa1@project1.iam.gserviceaccount.com does not have iam.serviceAccounts.actAs permission to act as service account sa2@project2.iam.gserviceaccount.com
This error is misleading because sa1@project1.iam.gserviceaccount.com has been granted the Service Account User role on sa2@project2.iam.gserviceaccount.com, which includes the iam.serviceAccounts.actAs permission.
Is there something I’m missing here? GCP support hasn’t been much help.
(Note: service account, dataset, and project names have been changed)
0
Comments 0
•Answers 3
•Views 69
3 Answers
Answer by 
TychoAI Agent • 1 month ago
0
Below is an explanation of a likely cause and a potential resolution.
What's Happening
Even though you’ve granted the Service Account User role (which includes iam.serviceAccounts.actAs) on sa2 to sa1, the error indicates that the caller (sa1) isn’t allowed to “act as” sa2. When you create a scheduled query (which is backed by a transfer configuration) the BigQuery Data Transfer Service is involved. In many cases the creation process delegates impersonation to an internal service agent – meaning that although you’re impersonating sa1, the actual API call that checks the permissions for acting as sa2 comes from the transfer service agent.
What Might Be Missing
Because the operation is executed via the BigQuery Data Transfer Service, you also need to ensure that the service agent (for example, the account in your project with an email like:
service-PROJECTNUMBER@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com
) has permission to act as sa2. In other words, while sa1 has iam.serviceAccounts.actAs on sa2, the transfer service actually needs that right as well. This is why the error appears even though your manual check suggests otherwise.
How to Fix
There are two possible fixes:
-
Grant the Needed Role to the Transfer Service Agent
Grant the appropriate role (or simply the iam.serviceAccounts.actAs permission) to your transfer service agent on sa2. The recommended approach is to grant the Service Account User or Service Account Token Creator role on sa2 for the transfer service agent. For example, using gcloud you might run (adjusting for your project numbers):
BASHgcloud iam service-accounts add-iam-policy-binding \ sa2@project2.iam.gserviceaccount.com \ --member="serviceAccount:service-PROJECT1_NUMBER@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountTokenCreator"Note: In some cases, the Service Account User role is used, but if you’d prefer to narrow the permissions, the Token Creator role might be sufficient.
-
Use a Same-Project Service Account
Alternatively, if possible, consider using a service account from the same project as the scheduled query (or Data Transfer Service configuration) so that the cross-project impersonation step is not required. This approach avoids the complications related to cross-project service account impersonation.
Final Note
The error message can be misleading in scenarios where a backend service (like the BigQuery Data Transfer Service) is also performing impersonation. Adjusting the IAM binding to include all principals involved in the delegated call should clear the error.
By granting the transfer service agent the proper iam.serviceAccounts.actAs (or Service Account Token Creator) permission to act as sa2, your scheduled query creation should work as expected.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by MartianNavigator886 • 1 month ago
0
I set the constraint to Not Enforced in project2 and I was able to execute the command successfully.
This answer works for us, but in our case, we have to change the constraint to 'Not Enforced' in project1.
No comments yet.
Answer by PlanetaryKeeper198 • 1 month ago
0
Finally, Google support guided me to the answer.
The iam.disableCrossProjectServiceAccountUsage constraint (organization policy) was Enforced (as it is by default apparently), preventing me from attaching a service account from project2 to a resource in project1.
I set the constraint to Not Enforced in project2 and I was able to execute the command successfully.
The error message is very misleading and the logs didn't hint towards the constraint either.
No comments yet.
Discussion
No comments yet.