Skip to main content
This guide lists all Google Cloud IAM roles and permissions required to deploy and run a on Google Kubernetes Engine (GKE). It covers two distinct principals: the Terraform deployer (the human or CI identity running terraform apply) and the runtime service accounts, which are automatically provisioned by Terraform. For the full deployment walkthrough, see the GKE deployment guide.

Required Google Cloud APIs

Enable the following APIs in the target Google Cloud project before running Terraform. Replace YOUR_PROJECT_ID with your actual GCP project ID.

Terraform deployer permissions

The identity running terraform apply must have the following IAM roles on the target Google Cloud project. These can be granted to a user account, a service account used by CI/CD, or a group.
roles/owner or roles/editor + roles/iam.securityAdmin will also satisfy all requirements. The granular roles above are recommended for production environments, following the principle of least privilege.

Maia runner runtime permissions

Terraform automatically creates and configures two service accounts. No manual IAM grants are required for these.

Maia runner Workload Identity service account

This service account is annotated onto the Kubernetes service account via Workload Identity, so pods authenticate to Google Cloud APIs without any key files. The following roles are granted automatically by Terraform.
The optional extra GCS bucket permissions (roles/storage.legacyBucketReader and roles/storage.objectViewer) are only granted when bucket names are supplied via the runner_gcs_buckets Terraform variable. Typical use cases include custom CA certificate bundles, Python extension libraries, and external JDBC drivers.

GKE node service account

A separate, least-privilege service account is attached to the GKE nodes for cluster operations. The following roles are granted automatically by Terraform.

Pipeline-level permissions

The following permissions are required at pipeline execution time, depending on the data warehouse the connects to. These aren’t provisioned by the GKE deployment Terraform—they must be granted separately to the Workload Identity service account, or to a delegated service account.

BigQuery

Dataset-level grants are preferred for roles/bigquery.dataViewer and roles/bigquery.dataEditor, to follow the principle of least privilege.

Snowflake via GCS staging

Snowflake access isn’t governed by Google Cloud IAM—the authenticates to Snowflake using credentials stored in Secret Manager (key-pair, OAuth, or username/password). However, if Snowflake uses a GCS Storage Integration for staging, the following additional permission is needed on the Snowflake staging bucket:

Workload Identity binding

Workload Identity allows Kubernetes pods to impersonate a Google Cloud service account without storing any key files in the cluster. Terraform configures this binding automatically. It takes the form:
  • K8S_NAMESPACE defaults to var.name. Override with the k8s_namespace Terraform variable if your Helm release is deployed into a different namespace.
  • K8S_SERVICE_ACCOUNT_NAME defaults to <name>-sa. Override with k8s_service_account_name if your Helm release name differs from var.name.
If the Kubernetes namespace or service account name doesn’t match the Workload Identity binding, pods will silently fail to authenticate to Google Cloud APIs. Run terraform apply a second time if you see an identity pool race condition error after initial cluster creation.

Quick reference

The following table summarizes all permissions.