Installer Permissions
Recommended role combinations
These role combinations provide all permissions needed for a first-time installation. Any one row is sufficient.
| Combination | Roles |
|---|---|
| Minimum (least privilege) | Viewer, Dataform Admin, Project IAM Admin, Service Usage Admin, Service Account Admin, Service Account User |
| Editor shortcut | Editor, Project IAM Admin, Service Account Admin |
| Full access | Owner |
For updating an existing installation, the same combinations apply. The update flow requires fewer permissions overall, but uses the same role checks.
If you enable Premium automation features (Automated GA4 Export Trigger or Email Alerts), add these roles to the minimum combination: Pub/Sub Admin, Logs Configuration Writer, Workflows Editor, Eventarc Developer. The Editor and Owner combinations already cover these.
The installer does not gain any access to your GCP project. All actions are performed using your own Google account permissions through OAuth.
This page explains which permissions the installer needs for a first-time setup and an update of an existing setup. Core and Premium use the same permission checks. At a high level, the installer goes through these steps:
- Checks your access and confirms your license.
- Verifies required APIs are available and can be enabled if needed.
- Checks whether a GA4Dataform setup already exists.
- Creates or updates the Dataform repository and workspace.
- Applies required IAM access for the Dataform service account.
- Deploys or updates package files and workflow configuration.
Permissions checked during package validation
These permissions are needed during the package validation step:
| Permission | Why the installer needs it | What roles have this permission? |
|---|---|---|
dataform.releaseConfigs.create | Create release configuration | Dataform Admin, Editor, Owner |
dataform.releaseConfigs.list | List release configurations | Dataform Admin, Dataform Editor, Dataform Viewer, Viewer, Editor, Owner |
dataform.repositories.create | Create repository (if needed) | Dataform Admin, Dataform Editor, Code Creator, Code Editor, Code Owner, Editor, Owner |
dataform.repositories.fetchHistory | Read repository commit history | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.repositories.get | Read repository metadata | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.repositories.list | List repositories | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.workflowConfigs.create | Create workflow configuration | Dataform Admin, Editor, Owner |
dataform.workflowConfigs.list | List workflow configurations | Dataform Admin, Dataform Editor, Dataform Viewer, Viewer, Editor, Owner |
dataform.workflowInvocations.create | Trigger workflow invocations | Dataform Admin, Dataform Editor, Editor, Owner |
dataform.compilationResults.create | Create compilation results | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Code Viewer, Editor, Owner |
dataform.workspaces.commit | Commit workspace changes | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.create | Create workspace | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.fetchFileGitStatuses | Check workspace git status | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.workspaces.get | Read workspace metadata | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.workspaces.installNpmPackages | Install workspace npm dependencies | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.list | List workspaces | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.workspaces.makeDirectory | Create directories in workspace | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.pull | Pull repository changes to workspace | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.push | Push workspace changes to repository | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.queryDirectoryContents | List files/directories in workspace | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.workspaces.readFile | Read workspace files | Dataform Admin, Dataform Editor, Dataform Viewer, Code Creator, Code Editor, Code Owner, Code Viewer, Viewer, Editor, Owner |
dataform.workspaces.writeFile | Write workspace files | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
resourcemanager.projects.get | Read project metadata | Viewer, Editor, Owner |
resourcemanager.projects.getIamPolicy | Read project IAM policy | Security Reviewer, Project IAM Admin, Owner |
serviceusage.services.get | Check API enablement status | Service Usage Consumer, Service Usage Admin, Viewer, Editor, Owner |
Additional permissions for first-time installation
These are required when you are installing GA4Dataform for the first time in a project.
| Permission | Why the installer needs it | What roles have this permission? |
|---|---|---|
bigquery.datasets.get | List/select source GA4 datasets | BigQuery Data Viewer, BigQuery Data Editor, BigQuery Admin, Viewer, Editor, Owner |
bigquery.jobs.create | Execute BigQuery validation queries | BigQuery Job User, BigQuery Admin, Viewer, Editor, Owner |
iam.serviceAccounts.create | Create the custom service account for Strict Act-As mode | Service Account Admin, Editor, Owner |
iam.serviceAccounts.get | Check if the custom service account already exists | Service Account Admin, Service Account Viewer, Editor, Viewer, Owner |
iam.serviceAccounts.getIamPolicy | Read SA-level IAM policy before granting roles | Service Account Admin |
iam.serviceAccounts.setIamPolicy | Grant Token Creator and Service Account User roles on the custom SA to the Dataform default SA | Service Account Admin |
iam.serviceAccounts.actAs | Act as the custom service account when creating the Dataform repository (Strict Act-As mode) | Service Account User, Editor, Owner |
resourcemanager.projects.getIamPolicy | Read IAM policy before binding updates | Security Reviewer, Project IAM Admin, Owner |
resourcemanager.projects.setIamPolicy | Apply project IAM policy updates | Project IAM Admin, Owner |
serviceusage.services.enable | Enable required APIs | Service Usage Admin, Editor, Owner |
Additional permissions for updating an existing installation
These are required when you are updating an existing GA4Dataform setup.
| Permission | Why the installer needs it | What roles have this permission? |
|---|---|---|
dataform.workspaces.removeDirectory | Remove/update folder structure during deployment | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.workspaces.removeFile | Remove/update files during deployment | Dataform Admin, Dataform Editor, Code Editor, Code Owner, Editor, Owner |
dataform.repositories.update | Update repository labels/settings | Dataform Admin, Code Owner, Editor, Owner |
Additional permissions for Premium automation features
These are required when you enable the Automated GA4 Export Trigger or Email Alerts during installation. Both features use the same architecture - a Cloud Logging sink, Pub/Sub topic, Eventarc trigger, Cloud Workflow, and a dedicated service account created in your project. The installer also enables the required APIs (logging.googleapis.com, pubsub.googleapis.com, workflows.googleapis.com, eventarc.googleapis.com).
If you enable either or both features, these permissions are required:
| Permission | Why the installer needs it | What roles have this permission? |
|---|---|---|
pubsub.topics.create | Create the Pub/Sub topic for event routing | Pub/Sub Admin, Pub/Sub Editor, Editor, Owner |
pubsub.topics.get | Check if the topic already exists | Pub/Sub Admin, Pub/Sub Editor, Pub/Sub Viewer, Viewer, Editor, Owner |
pubsub.topics.setIamPolicy | Grant the logging sink permission to publish to the topic | Pub/Sub Admin, Owner |
logging.sinks.create | Create a Cloud Logging sink to capture relevant events | Logs Configuration Writer, Logging Admin, Editor, Owner |
logging.sinks.get | Check if the sink already exists | Logs Configuration Writer, Logging Admin, Logging Viewer, Viewer, Editor, Owner |
workflows.workflows.create | Create the Cloud Workflow that processes events | Workflows Admin, Workflows Editor, Editor, Owner |
workflows.workflows.get | Check if the workflow already exists | Workflows Admin, Workflows Editor, Workflows Viewer, Viewer, Editor, Owner |
workflows.workflows.update | Update the workflow when rerunning the installer | Workflows Admin, Workflows Editor, Editor, Owner |
eventarc.triggers.create | Create the Eventarc trigger that connects Pub/Sub to the workflow | Eventarc Developer, Eventarc Admin, Editor, Owner |
eventarc.triggers.get | Check if the trigger already exists | Eventarc Developer, Eventarc Admin, Eventarc Viewer, Viewer, Editor, Owner |
The following permissions are also required but are already listed in earlier sections: serviceusage.services.enable, iam.serviceAccounts.create, iam.serviceAccounts.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.setIamPolicy.
IAM roles the installer adds
During the permissions step, the installer grants the following roles to service accounts.
Custom service account (query execution)
These project-level roles are assigned to the custom GA4Dataform service account used for BigQuery query execution:
roles/bigquery.metadataViewerroles/bigquery.resourceViewerroles/bigquery.dataEditorroles/bigquery.dataViewerroles/bigquery.jobUser
Dataform default service account (orchestration)
These roles are assigned to the Dataform default service account so it can orchestrate workflows via Strict Act-As mode:
roles/secretmanager.secretAccessorroles/iam.serviceAccountTokenCreatorroles/iam.serviceAccountUser(on the custom service account)
Workflow service account (GA4 Export Trigger, Premium)
When the Automated GA4 Export Trigger is enabled, the installer creates a dedicated service account (ga4wf-*) and assigns these project-level roles:
roles/dataform.editorroles/workflows.invokerroles/eventarc.eventReceiver
The Cloud Logging sink's writer identity is also granted roles/pubsub.publisher on the trigger's Pub/Sub topic.
Workflow service account (Email Alerts, Premium)
When Email Alerts are enabled, the installer creates a dedicated service account (dferrwf-*) and assigns these project-level roles:
roles/dataform.viewerroles/workflows.invokerroles/eventarc.eventReceiver
The Cloud Logging sink's writer identity is also granted roles/pubsub.publisher on the error topic. The workflow forwards error events to GA4Dataform's internal notification system for processing and email delivery.