terraform apply) and the runtime service accounts, which are automatically provisioned by Terraform.
For the full deployment walkthrough, see the GKE deployment guide.
Required Google Cloud APIs
Enable the following APIs in the target Google Cloud project before running Terraform. ReplaceYOUR_PROJECT_ID with your actual GCP project ID.
Terraform deployer permissions
The identity runningterraform apply must have the following IAM roles on the target Google Cloud project. These can be granted to a user account, a service account used by CI/CD, or a group.
roles/owner or roles/editor + roles/iam.securityAdmin will also satisfy all requirements. The granular roles above are recommended for production environments, following the principle of least privilege.Maia runner runtime permissions
Terraform automatically creates and configures two service accounts. No manual IAM grants are required for these.Maia runner Workload Identity service account
This service account is annotated onto the Kubernetes service account via Workload Identity, so pods authenticate to Google Cloud APIs without any key files. The following roles are granted automatically by Terraform.The optional extra GCS bucket permissions (
roles/storage.legacyBucketReader and roles/storage.objectViewer) are only granted when bucket names are supplied via the runner_gcs_buckets Terraform variable. Typical use cases include custom CA certificate bundles, Python extension libraries, and external JDBC drivers.GKE node service account
A separate, least-privilege service account is attached to the GKE nodes for cluster operations. The following roles are granted automatically by Terraform.Pipeline-level permissions
The following permissions are required at pipeline execution time, depending on the data warehouse the connects to. These aren’t provisioned by the GKE deployment Terraform—they must be granted separately to the Workload Identity service account, or to a delegated service account.BigQuery
Dataset-level grants are preferred for
roles/bigquery.dataViewer and roles/bigquery.dataEditor, to follow the principle of least privilege.Snowflake via GCS staging
Snowflake access isn’t governed by Google Cloud IAM—the authenticates to Snowflake using credentials stored in Secret Manager (key-pair, OAuth, or username/password). However, if Snowflake uses a GCS Storage Integration for staging, the following additional permission is needed on the Snowflake staging bucket:Workload Identity binding
Workload Identity allows Kubernetes pods to impersonate a Google Cloud service account without storing any key files in the cluster. Terraform configures this binding automatically. It takes the form:K8S_NAMESPACEdefaults tovar.name. Override with thek8s_namespaceTerraform variable if your Helm release is deployed into a different namespace.K8S_SERVICE_ACCOUNT_NAMEdefaults to<name>-sa. Override withk8s_service_account_nameif your Helm release name differs fromvar.name.
