Connecting dbt cloud to BigQuery via WIF won't work. GCP Policy override for BQ Service Account key creation.

[pavelmg93]

Course

data-engineering-zoomcamp

Question

04-analytics-engineering

When setting up dbt cloud environment, we need to create a connection to BigQuery.
If you are still not able to create JSON key for your BQ (or other GCP) service account, and attempting to use Workload Identity Federation route -- DON'T!

I was going mad, trying many differnet hacks and setups in GCP. Save button simply always turned "retry" in dbt.

[FAILED] Workload Identity Federeation route:

1. Setup a pool in GCP with auth.cloud.getdbt.com as link:
   <your_wif_pool_id>

2. Create a pricipal uder your GCP service account:
   "de-zoomcamp-runner@<full_gcp_project_id>.iam.gserviceaccount.com"
   with Service Token Creator permissions on top of BigQuery, Compute, Storage Admin roles.

   "principalset://iam.googleapis.com/projects/<digits_only_project_id>/locations/global/workloadIdentityPools/<your_wif_pool_id>/*"
   this service account "principal" user has Workload Identity User role as well as Service Account Token Creator.

   gcloud projects describe <full_gcp_project_id> --format="value(projectNumber)"

   returns digits only GCP project id.

3. Create OAuth Client ID with Secret for dbt.

4. Try to create Development environemnt in dbt cloud, enter your project-id, in Optional, enter service accoutn to impersonate.

5. FAIL regardless...

Answer

The only solution is to bruteforce delete the iam.disableServiceAccountKeyCreation

1. Add yourself "Service Account Key Admin" and "Organization Policy Administrator" role at organization level.
2. Manually disabling both legacy and enforced policies does not work for some reason.
3. This GCP CLI command does it!

gcloud org-policies delete iam.disableServiceAccountKeyCreation --organization=[your-org-id]

Finally, can create JSON key for BQ service account!
Proceed with normal sbt cloud setup in Module 04-analytics-engineering

Checklist

• I have searched existing FAQs and this question is not already answered
• The answer provides accurate, helpful information
• I have included any relevant code examples or links

[github-actions]

❌ FAQ Bot encountered an error processing this proposal.

Please check the workflow run for details.

A maintainer will review this manually.

[pavelmg93]

GCP CLI command source doc:
https://docs.cloud.google.com/resource-manager/docs/secure-by-default-organizations?_gl=1*ae71vy*_ga*MTcxMTc2Njc1Ny4xNzcwNjQwOTA2*_ga_WH2QY8WWF5*czE3NzA4NjU3OTkkbzkkZzEkdDE3NzA4NzA5OTgkajM0JGwwJGgw#disable_organization_policies

[pavelmg93]

also, these need to be added to the WIF pool:
Google target: google.subject
Source attribute: assertion.sub