google cloud platform - 403 iam.serviceAccounts.actAs permission error trying to attach a service account to a resource in anoth

I'm testing the required permissions to create a scheduled query on BigQuery.

The scheduled query will be programmatically created in project1 with a service account ([email protected]) that I'm able to impersonate. The scheduled query will run as another service account from project2 ([email protected]).

I have granted the following roles:

• BigQuery Admin to [email protected] on project1
• Service Account User to [email protected] on [email protected]
• BigQuery Data Editor to [email protected] on target dataset (test_dataset)
• BigQuery Job User to [email protected] on project1
• BigQuery Resource Viewer to [email protected] on organization (because the query is using the region-us.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION view)

I'm running the following while connected to project1 (the target dataset is in this project). I also tried achieving the same with terraform, with the same error message.

gcloud config set auth/impersonate_service_account [email protected]
bq mk \
  --transfer_config \
  --target_dataset=test_dataset \
  --display_name='test bq scheduled query' \
  --params='{"destination_table_template":"test_jobs", "write_disposition":"WRITE_APPEND", "query":"SELECT job_id FROM `region-us.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION` WHERE DATE_TRUNC(creation_time, DAY) = '2025-01-22'"}' \
  --data_source=scheduled_query \
  [email protected]

I get the following output:

Updated property [auth/impersonate_service_account].
WARNING: This command is using service account impersonation. All API
calls will be executed as [[email protected]].
BigQuery error in mk operation:
Requesting user [email protected] does not have
iam.serviceAccounts.actAs permission to act as service account
[email protected]

The error is a lie, since [email protected] has the Service Account User role on [email protected] and this role includes iam.serviceAccounts.actAs permission.

Is there something I'm missing here? GCP support is driving me crazy, not being helpful at all.

(service account, dataset and project names have been changed)

I'm testing the required permissions to create a scheduled query on BigQuery.

The scheduled query will be programmatically created in project1 with a service account ([email protected]) that I'm able to impersonate. The scheduled query will run as another service account from project2 ([email protected]).

I have granted the following roles:

• BigQuery Admin to [email protected] on project1
• Service Account User to [email protected] on [email protected]
• BigQuery Data Editor to [email protected] on target dataset (test_dataset)
• BigQuery Job User to [email protected] on project1
• BigQuery Resource Viewer to [email protected] on organization (because the query is using the region-us.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION view)

I'm running the following while connected to project1 (the target dataset is in this project). I also tried achieving the same with terraform, with the same error message.

gcloud config set auth/impersonate_service_account [email protected]
bq mk \
  --transfer_config \
  --target_dataset=test_dataset \
  --display_name='test bq scheduled query' \
  --params='{"destination_table_template":"test_jobs", "write_disposition":"WRITE_APPEND", "query":"SELECT job_id FROM `region-us.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION` WHERE DATE_TRUNC(creation_time, DAY) = '2025-01-22'"}' \
  --data_source=scheduled_query \
  [email protected]

I get the following output:

Updated property [auth/impersonate_service_account].
WARNING: This command is using service account impersonation. All API
calls will be executed as [[email protected]].
BigQuery error in mk operation:
Requesting user [email protected] does not have
iam.serviceAccounts.actAs permission to act as service account
[email protected]

The error is a lie, since [email protected] has the Service Account User role on [email protected] and this role includes iam.serviceAccounts.actAs permission.

Is there something I'm missing here? GCP support is driving me crazy, not being helpful at all.

(service account, dataset and project names have been changed)

• google-cloud-platform
• google-bigquery
• service-accounts
• google-cloud-iam

Share Improve this question Follow edited Jan 31 at 8:45 nathou asked Jan 27 at 12:24 nathounathou 11111 silver badge44 bronze badges 2

• Can you try to add the role "service account token creator" in addition? – guillaume blaquiere Commented Jan 27 at 20:02
• Yes, I have tried adding the service account token creator role, but I still get the error message. Also tried adding the roles at the projects level with the same result. – nathou Commented Jan 29 at 8:16

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

Finally, Google support guided me to the answer.

The iam.disableCrossProjectServiceAccountUsage constraint (organization policy) was Enforced (as it is by default apparently), preventing me from attaching a service account from project2 to a resource in project1.

I set the constraint to Not Enforced in project2 and I was able to execute the command successfully.

The error message is very misleading and the logs didn't hint towards the constraint either.

I set the constraint to Not Enforced in project2 and I was able to execute the command successfully.

This answer works for us, but in our case, we have to change the constraint to 'Not Enforced' in project1.