In Step 5 ("Permissions Setup") of the Turn Dark Data into Structured Gold Codelab, the list of IAM roles provided to be granted to the Dataplex service account (gcp-sa-dataplex.iam.gserviceaccount.com) is incomplete.
When proceeding to configure the DataScan job in the console (Step 6), the operation fails with a permission denied error regarding bucket metadata access. The console outputs the following message:
Invalid data discovery scan configuration
Dataplex service account service-[PROJECT_NUMBER]@gcp-sa-dataplex.iam.gserviceaccount.com is missing following permission(s) on the bucket: [storage.buckets.get]. Please grant it missing permission(s) or role roles/dataplex.discoveryServiceAgent on the bucket.
Once the roles/dataplex.discoveryServiceAgent role is manually appended to the Dataplex service account, the DataScan job initializes and executes successfully.
Suggested Fix:
Update the documentation in Step 5 to include roles/dataplex.discoveryServiceAgent in the bulleted list of required IAM roles.
In Step 5 ("Permissions Setup") of the Turn Dark Data into Structured Gold Codelab, the list of IAM roles provided to be granted to the Dataplex service account (
gcp-sa-dataplex.iam.gserviceaccount.com) is incomplete.When proceeding to configure the DataScan job in the console (Step 6), the operation fails with a permission denied error regarding bucket metadata access. The console outputs the following message:
Once the
roles/dataplex.discoveryServiceAgentrole is manually appended to the Dataplex service account, the DataScan job initializes and executes successfully.Suggested Fix:
Update the documentation in Step 5 to include
roles/dataplex.discoveryServiceAgentin the bulleted list of required IAM roles.