Reputation: 5802
cloud spanner IAM permission denied
When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:
spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."
The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/
I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.
my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.
Upvotes: 0
Views: 8909
Answers (3)
Reputation: 2546
Make sure you are using the right project name. The error can be misleading if there is any typo there. It will not tell you "You have no access to this Project ID" but instead show you the same error message as you got. Browsing the resource on the GCloud Console helps to identify the right Project ID.
Upvotes: 0
Reputation: 66
Probably you didn't add access to your database tododb for account in the file pointed by GOOGLE_APPLICATION_CREDENTIALS. Use, for example, Cloud Spanner Database User role for this account in Google Console.
Upvotes: 1
Reputation: 1533
Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles
Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).
You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.
Consider this scenario:
- your gcloud SDK may be well credentialed with
[email protected]account which has grantedroles/spanner.adminrole, so everything works fine for gcloud - the VM hosting your code and SDK is running as
[email protected]Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.
More information on Service Accounts here: https://cloud.google.com/compute/docs/access/service-accounts
Upvotes: 2
Related Questions
- Spanner Emulator - Caller is missing IAM permission spanner.sessions.create on resource
- How to resolve GCloud permissions?
- Cloud Spanner Integration With Liquibase Failure
- Google Cloud Spanner Static Instance ID
- Cloud Spanner Errorcode Error: 9 FAILED_PRECONDITION
- How to solve the "could not find default credentials" error
- Problems with permissions on Google Cloud IAM
- Error GRPC Spanner Google Cloud With PHP
- Google Cloud Platform: permission denied by accessing Apps Script
- Google Cloud Spanner Session not found