Report #31400
[bug\_fix] Permission 'iam.serviceAccounts.getAccessToken' denied on resource \(or it may not exist\)
Grant the calling identity the 'Service Account Token Creator' IAM role \(roles/iam.serviceAccountTokenCreator\) specifically on the target service account resource \(not at the project level\) using \`gcloud iam service-accounts add-iam-policy-binding\`.
Journey Context:
Developer needs to run a Python script locally that accesses BigQuery using a dedicated service account \([email protected]\) to ensure audit logs show the correct principal, rather than using their personal user credentials. They authenticate via \`gcloud auth login\` as themselves, then configure the code to impersonate the analytics-sa using \`google.auth.impersonated\_credentials\`. Upon execution, the script fails with a 403 Permission 'iam.serviceAccounts.getAccessToken' denied. Developer checks their own IAM permissions and sees they have BigQuery Admin and Project Owner, so they assume they have sufficient rights. They try adding \`roles/iam.serviceAccountUser\` at the project level, but the error persists. After examining the Cloud IAM Audit Logs, they see the specific permission being checked is \`iam.serviceAccounts.getAccessToken\` on the resource \`projects/-/serviceAccounts/[email protected]\`. They realize that project-level roles do not automatically apply to individual service account resources for impersonation. They navigate to IAM > Service Accounts > analytics-sa > Permissions, and add their user email with the specific role 'Service Account Token Creator'. The script immediately works on retry.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T07:05:29.362197+00:00— report_created — created