Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Network default is not accessible to Dataflow Service account

Having issues starting a Dataflow job(2018-07-16_04_25_02-6605099454046602382) in a project without a local VPC Network when I get this error

Workflow failed. Causes: Network default is not accessible to Dataflow
Service account

There is a shared VPC connected to the project with a networked called default with a subnet default in us-central1 – however the service account used to run dataflow job don't seam to have access to it. I have given the dataflow-service-producer service account Compute Network User, without any noticeable effect. Any ideas on how I can processed?

like image 996
Brodin Avatar asked Jul 16 '18 13:07

Brodin


People also ask

What service account does dataflow use?

Access to Dataflow is governed by Google service accounts. A service account is used by the Dataprep by Trifacta application to access services and resources in the Google Cloud Platform. A service account can be used by one or more users, who are accessing the platform.

How the dataflow security is implemented?

Dataflow pipelines can be run locally (to perform tests on small datasets), or on managed Google Cloud resources using the Dataflow managed service. Whether running locally or in the cloud, your pipeline and its workers use a permissions system to maintain secure access to pipeline files and resources.

How do I delete a dataflow job in GCP?

You cannot delete a Dataflow job; you can only stop it. To stop a Dataflow job, you can use either the Google Cloud console, Cloud Shell, a local terminal installed with the Google Cloud CLI, or the Dataflow REST API.


1 Answers

The usage of subnetworks in Cloud Dataflow requires to specify the subnetwork parameter when running the pipeline; However, in the case of subnetwork that are located in a Shared VPC network, it is required to use the complete URL based on the following format, as you well mentioned.

https://www.googleapis.com/compute/v1/projects/<HOST_PROJECT>/regions/<REGION>/subnetworks/<SUBNETWORK>

Additionally, in this cases is recommended to verify that you are adding the project's Dataflow service account into the Shared VPC's project IAM table and give it the "Compute Network User" role permission in order to ensure that the service has the required access scope.

Finally, it is seems that the Subnetwork parameter official Google's documentation is alraedy available with detailed information about this matter.

like image 64
Armin_SC Avatar answered Sep 21 '22 04:09

Armin_SC