Serviceaccount does not have bigquery.jobs.create permission

Question

Permission given to service account is "owner" and "bigquery admin".

$bigQuery = new BigQueryClient([
            'projectId' => 'project-xxx',
        ]);

      $query = "SELECT * FROM `project-xxxx.analytics_xxx.events_xxx` where event_name='first_open' LIMIT 100";

        $jobConfig = $bigQuery->query($query);
        $queryResults = $bigQuery->runQuery($jobConfig);
        print_r($queryResults);

when I try to execute above code its show below error:

{ "error": 
{ "errors": [ { "domain": "global", "reason": "accessDenied", 
  "message": "Access Denied: Project project-xxxx: The user 
  [email protected] does not have 
  bigquery.jobs.create permission in project project-xxxx." } ],
}}

Answer 1

After creating new service account with same permission as per previous account, its working. I don't know whats wrong with previous account. May be some issue from service account.

Answer 2

You need to specify the credentials of the service account as a parameter of the BigQueryClient constructor.

You can do it with the keyFilePath parameter:

$bigQuery = new BigQueryClient([
            'projectId' => 'project-xxx',
            'keyFilePath' => '/path/to/file.json'   
        ]);

Also, check with this command that you granted the permissions to the service account:

gcloud projects get-iam-policy yourProjectID

EDIT:

Let's take a different approach creating a service account and granting permissions to it from scratch.

1. Create new service account:

   gcloud iam service-accounts create [NAME]

2. Grant the permissions:

gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/bigquery.admin"

3. Create credentials file:

gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com

4. Add the path of this file to the BigQueryClient contructor and run your code.