You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Prior to running my Nextflow pipeline, I'm setting my GCP service account credentials via $GOOGLE_APPLICATION_CREDENTIALS, as stated in the Nextflow docs.
For the sake of this issue, my service account is nextflow@XXX.iam.gserviceaccount.com.
However, when I run my Nextflow pipeline, I get the following error:
Caused by:
PERMISSION_DENIED: caller does not have access to act as the specified service account: "default@XXX.gserviceaccount.com"
For the sake of this issue, default@XXX.gserviceaccount.com refers to the "default" service account that I was previously using, but I switched to nextflow@XXX.iam.gserviceaccount.com, which has more restricted permissions.
I've double checked, and $GOOGLE_APPLICATION_CREDENTIALS is set to nextflow@XXX.iam.gserviceaccount.com. I've also tried on multiple machines (local and Github codespace). In both cases, setting $GOOGLE_APPLICATION_CREDENTIALS to nextflow@XXX.iam.gserviceaccount.com still results in an error message pointing to default@XXX.gserviceaccount.com.
I've also tried using gcloud auth activate-service-account to set the service account to nextflow@XXX.iam.gserviceaccount.com (along with $GOOGLE_APPLICATION_CREDENTIALS), but I'm still getting the same permissions error.
Expected behavior and actual behavior
Changing the GCP service account via the $GOOGLE_APPLICATION_CREDENTIALS environmental variable should actually change the service account, and not result in a PERMISSION_DENIED: error for a different service account.
Environment
Nextflow version: 23.10.0
Java version: openjdk version "21-internal" 2023-09-19
The error message appears to be a result of insufficient IAM permissions for my nextflow@XXX.iam.gserviceaccount.com service account.
If so, the error message is very misleading, since the message is referring to the wrong service account.
Currently, the Nextflow GCP docs do not include info on what IAM permissions are needed for the service account used. It would be helpful to include the permissions (roles required:
roles/batch.jobsEditor
Batch Job Editor
roles/batch.agentReporter
Batch Agent Reporter
roles/iam.serviceAccountUser
Service Account User
roles/logging.logWriter
Logs Writer
roles/storage.objectAdmin
Cloud Storage access
roles/artifactregistry.reader
Only needed if pulling Docker containers from the GCP Artifact Registry
Bug report
Prior to running my Nextflow pipeline, I'm setting my GCP service account credentials via
$GOOGLE_APPLICATION_CREDENTIALS
, as stated in the Nextflow docs.For the sake of this issue, my service account is
nextflow@XXX.iam.gserviceaccount.com
.However, when I run my Nextflow pipeline, I get the following error:
For the sake of this issue,
default@XXX.gserviceaccount.com
refers to the "default" service account that I was previously using, but I switched tonextflow@XXX.iam.gserviceaccount.com
, which has more restricted permissions.I've double checked, and
$GOOGLE_APPLICATION_CREDENTIALS
is set tonextflow@XXX.iam.gserviceaccount.com
. I've also tried on multiple machines (local and Github codespace). In both cases, setting$GOOGLE_APPLICATION_CREDENTIALS
tonextflow@XXX.iam.gserviceaccount.com
still results in an error message pointing todefault@XXX.gserviceaccount.com
.I've also tried using
gcloud auth activate-service-account
to set the service account tonextflow@XXX.iam.gserviceaccount.com
(along with$GOOGLE_APPLICATION_CREDENTIALS
), but I'm still getting the same permissions error.Expected behavior and actual behavior
Changing the GCP service account via the
$GOOGLE_APPLICATION_CREDENTIALS
environmental variable should actually change the service account, and not result in aPERMISSION_DENIED:
error for a different service account.Environment
The text was updated successfully, but these errors were encountered: