To create a pipeline schedule of Vertex AI, we can use below snippet:

from google.cloud import aiplatform

pipeline_job = aiplatform.PipelineJob(
  template_path="COMPILED_PIPELINE_PATH",
  pipeline_root="PIPELINE_ROOT_PATH",
  display_name="DISPLAY_NAME",
)

pipeline_job_schedule = pipeline_job.create_schedule(
  display_name="SCHEDULE_NAME",
  cron="TZ=CRON",
  max_concurrent_run_count=MAX_CONCURRENT_RUN_COUNT,
  max_run_count=MAX_RUN_COUNT,
  service_account="XYZ",
)

This Python code runs with service account “XYZ” and we also want the schedule to run as service account “XYZ”. Make sense, right? But the execution throws errors:

grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.INVALID_ARGUMENT
	details = "You do not have permission to act as service_account: vertex-runner@pers-decision-engine-dev.iam.gserviceaccount.com. (or it may not exist)."
	debug_error_string = "UNKNOWN:Error received from peer ipv4:74.125.201.95:443 {created_time:"2024-06-06T01:51:02.837225888+00:00", grpc_status:3, grpc_message:"You do not have permission to act as service_account: vertex-runner@pers-decision-engine-dev.iam.gserviceaccount.com. (or it may not exist)."}"

Why does the Python Client of Vertex AI need to “act as” service account “XYZ” even if it’s already using default service account “XYZ”? I can’t answer. Fortunately, the solution is adding a role “Service Account User” to the service account “XYZ” (as this shows)

Seems Google Cloud still need to do a few works to let Vertex AI work very well.