Reputation: 74949
Google Cloud BigQuery Admin service account gets "does not have bigquery.jobs.create permission"
I'm new to Google Cloud & BigQuery. I reviewed the dozen other questions that seem to be related and have not seen what I'm missing from those answers. I'm trying to query a public dataset.
The error:
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Access Denied: Project airy-advantage-235802: The user [email protected] does not have bigquery.jobs.create permission in project airy-advantage-235802.",
"reason" : "accessDenied"
} ],
"message" : "Access Denied: Project airy-advantage-235802: The user [email protected] does not have bigquery.jobs.create permission in project airy-advantage-235802."
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:150)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:401)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1132)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:499)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:432)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:549)
at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.create(HttpBigQueryRpc.java:183)
What I've done:
- Created new Google Cloud account
- Created new project, which Google assigned the project ID airy-advantage-235802, project name is Kafka Learning.
- Created a service account [email protected]
- Granted that user the BigQuery Admin role within the project (I originally tried BigQuery User and BigQuery Data Viewer)
- I saved the JSON credentials file to a local folder
- I set the environment variable
GOOGLE_APPLICATION_CREDENTIALSto the path to the JSON file - I have a tiny Java project to query a public dataset
- Received above error
- Verified billing is enabled (as far as I can tell, see below)
Is there a step I missed?
var bigquery = BigQueryOptions.getDefaultInstance().getService();
var query = "SELECT * FROM `bigquery-public-data.google_analytics_sample.ga_sessions_20160801` LIMIT 10";
var queryConfig = QueryJobConfiguration.newBuilder(query).build();
var table = bigquery.query(queryConfig);
I've also tried explicitly setting the project id (which is also in the json file) by changing the builder to this:
var bigquery = BigQueryOptions.newBuilder().setProjectId("airy-advantage-235802").build().getService();
Upvotes: 1
Views: 3491
Answers (2)
Reputation: 2557
I get this problem too. Reading the docs you will solve it.
It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior.
When you delete a service account, its role bindings are not immediately deleted. If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist; however, they will not apply to the new service account even though both accounts have the same email address. This behavior occurs because service accounts are given a unique ID within Cloud IAM at creation. Internally, all role bindings are granted using these IDs, not the service account's email address. Therefore, any role bindings that existed for a deleted service account do not apply to a new service account that uses the same email address.
To avoid confusion, we suggest using unique service account names. If this is not possible, you can grant a role to the new service account by:
Explicitly removing all bindings granting that role to the old service account. Re-granting those roles to the new service account. You must remove the role bindings first before re-adding them. Simply granting the role again will silently fail by granting the role to the old, deleted service account. enter link description here
Upvotes: 0
Reputation: 2893
This usually happens when you delete and create a service account with the same name as the "new" service account may have old roles binding to it. Thus, you could:
- Use a new service account
- Explicitly removing any bindings granting that role to the service account
- Re-granting those roles to the "new" service account.
For more information, you could check this link
Hope it helps.
Upvotes: 2
Related Questions
- [email protected] does not have bigquery.jobs.create permission in project yyyy
- Access Denied: User does not have bigquery.jobs.create permission
- Role roles/bigquery.jobs.create is not supported for this resource (project)
- API call to bigquery.jobs.query failed with error: Access Denied: Project ppc-big-query: User does not have bigquery.jobs.create permission
- Required IAM roles to set service account to an existing scheduled query
- unable to run query against BigQuery - permission error 403
- Serviceaccount does not have bigquery.jobs.create permission
- google default service account did not have permission for bq utility
- How to grant BigQuery job creation permission?
- The user does not have bigquery.jobs.create permission in project gdelt-bq