In the Google Cloud toolbar, verify that the correct project is selected.
NOTE: You must be the project owner of the selected project to complete these configuration steps.
Select Left nav menu > IAM & Admin > IAM.
Select the Include Google-provided role grants checkbox.
Locate the service account created by
D s product product dp
This service account contains the Dataprep Service Agent role in the Roles column.
Copy the name of this account.
From the Google Cloud toolbar at the top, open the Cloud Shell.
NOTE: Open the Cloud Shell in a new tab, and verify that you have specifically chosen the project in question. If you are not in the right project, the error messages may be confusing.
From Google Cloud Shell:
Create a new YAML file:
Create a new Access context in this YAML file. This context must include:
The service account that you copied
The userId of the project owner
- members: - serviceAccount:<dataprepServiceAccount> - user:<projectOwner>
- members: - serviceAccount:serviceAccount-service:firstname.lastname@example.org - user:myLogin@example.com
Save this file.
Execute the following command to create a new Access Level:
gcloud access-context-manager levels create <accessLevelName> --basic-level-spec=<project-name>.yaml --title=<accessLevelName>
NOTE: If this command fails, you may need to enable the Access Context Manager API in your VPC SC.
NOTE: If you need the policy number, select Left nav menu > Security > Access Context Manager. The policy number is the value following
After the command has been successfully executed, verify the access level:
Select Left nav menu > Security > Access Context Manager.
You should see an Access Level entry with the access level name that you just created.
To attach the new Access Level to the perimeter that protects your project:
Select Left nav menu > Security > VPC Service Controls.
Edit the relevant perimeter, and add the access level to the perimeter. Save.
- You can verify by running a job from
and/or BigQuery and writing results back.
D s storage
|D s also|