Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Permissions Issue with Google Cloud Data Fusion

Tags:

google-cloud-platform

google-cloud-data-fusion

cdap

I'm following the instructions in the Cloud Data Fusion sample tutorial and everything seems to work fine, until I try to run the pipeline right at the end. Cloud Data Fusion Service API permissions are set for the Google managed Service account as per the instructions. The pipeline preview function works without any issues.

However, when I deploy and run the pipeline it fails after a couple of minutes. Shortly after the status changes from provisioning to running the pipeline stops with the following permissions error:

   com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
    {
      "code" : 403,
      "errors" : [ {
        "domain" : "global",
        "message" : "[email protected] does not have storage.buckets.create access to project X.",
        "reason" : "forbidden"
      } ],
      "message" : "[email protected] does not have storage.buckets.create access to project X."
    }

[email protected] is the default Compute Engine service account for my project.

"Project X" is not one of mine though, I've no idea why the pipeline startup code is trying to create a bucket there, it does successfully create temporary buckets ( one called df-xxx and one called dataproc-xxx) in my project before it fails.

I've tried this with two separate accounts and get the same error in both places. I had tried adding storage/admin roles to the various service accounts to no avail but that was before I realized it was attempting to access a different project entirely.

like image 769
Helvick Avatar asked Dec 31 '22 20:12

Helvick

1 Answers

I believe I was able to reproduce this. What's happening is that the BigQuery Source plugin first creates a temporary working GCS bucket to export the data to, and I suspect it is attempting to create it in the Dataset Project ID by default, instead of your own project as it should.

As a workaround, create a GCS bucket in your account, and then in the BigQuery Source configuration of your pipeline, set the "Temporary Bucket Name" configuration to "gs://<your-bucket-name>"

like image 175
Derek Avatar answered Jan 18 '23 13:01

Derek
Sign in to Comment

Related questions

Failed job in Cloud Dataflow: enable Dataflow API
Google cloud Compute Engine refuse outer access through apache2
gCloud: File index.js does not exist in root directory
Access localhost on Google Cloud instance using External IP
Why there are insufficient accelerators when I execute gcloud ml-engine jobs?
kubernetes nginx ingress fails to redirect HTTP to HTTPS
GCP Custom IAM role creation with Terraform
How to change default shell in a GCE VM instance?
Google Cloud Composer variables do not propagate to Airflow
GCP Kubernetes workload "Does not have minimum availability"
What Service Account Does GKE Use to Access GCR
invalid argument "gcr.io//hello-app:v1" for "-t, --tag" flag: invalid reference format

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!