Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Serviceaccount does not have bigquery.jobs.create permission

Permission given to service account is "owner" and "bigquery admin".

$bigQuery = new BigQueryClient([
            'projectId' => 'project-xxx',
        ]);

      $query = "SELECT * FROM `project-xxxx.analytics_xxx.events_xxx` where event_name='first_open' LIMIT 100";

        $jobConfig = $bigQuery->query($query);
        $queryResults = $bigQuery->runQuery($jobConfig);
        print_r($queryResults);

when I try to execute above code its show below error:

{ "error": 
{ "errors": [ { "domain": "global", "reason": "accessDenied", 
  "message": "Access Denied: Project project-xxxx: The user 
  [email protected] does not have 
  bigquery.jobs.create permission in project project-xxxx." } ],
}}
like image 908
Krunal Avatar asked Mar 04 '19 12:03

Krunal


People also ask

What is BigQuery jobs create?

Jobs are actions that BigQuery runs on your behalf to load data, export data, query data, or copy data. When you use the Google Cloud console or the bq tool to perform one of these jobs, a job resource is automatically created, scheduled, and run. You can also programmatically create a load, export, query, or copy job.

How do I check permissions on BigQuery?

View users and permissions for a projectClick Settings settings. The General settings page opens. Click Permissions. The Permissions page opens.

Where can I see BigQuery jobs?

BigQuery lists jobs for all locations. Go to the BigQuery page. To list all jobs in a project, click Project history. If you aren't the project owner, you might not have permission to view all the jobs for a project.


2 Answers

After creating new service account with same permission as per previous account, its working. I don't know whats wrong with previous account. May be some issue from service account.

like image 53
Krunal Avatar answered Nov 16 '22 02:11

Krunal


You need to specify the credentials of the service account as a parameter of the BigQueryClient constructor.

You can do it with the keyFilePath parameter:

$bigQuery = new BigQueryClient([
            'projectId' => 'project-xxx',
            'keyFilePath' => '/path/to/file.json'   
        ]);

Also, check with this command that you granted the permissions to the service account:

gcloud projects get-iam-policy yourProjectID

EDIT:

Let's take a different approach creating a service account and granting permissions to it from scratch.

  1. Create new service account:

    gcloud iam service-accounts create [NAME]

  2. Grant the permissions:

gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/bigquery.admin"
  1. Create credentials file:
gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com
  1. Add the path of this file to the BigQueryClient contructor and run your code.
like image 27
llompalles Avatar answered Nov 16 '22 03:11

llompalles