Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PERMISSION_DENIED: caller does not have access to act as the specified service account: #4603

Open
nick-youngblut opened this issue Dec 19, 2023 · 1 comment
Open

PERMISSION_DENIED: caller does not have access to act as the specified service account: #4603

nick-youngblut opened this issue Dec 19, 2023 · 1 comment
Labels
docs executor/google-batch

Comments

@nick-youngblut
Copy link
Contributor

Bug report

Prior to running my Nextflow pipeline, I'm setting my GCP service account credentials via $GOOGLE_APPLICATION_CREDENTIALS, as stated in the Nextflow docs.

For the sake of this issue, my service account is nextflow@XXX.iam.gserviceaccount.com.

However, when I run my Nextflow pipeline, I get the following error:

Caused by:
  PERMISSION_DENIED: caller does not have access to act as the specified service account: "default@XXX.gserviceaccount.com"

For the sake of this issue, default@XXX.gserviceaccount.com refers to the "default" service account that I was previously using, but I switched to nextflow@XXX.iam.gserviceaccount.com, which has more restricted permissions.

I've double checked, and $GOOGLE_APPLICATION_CREDENTIALS is set to nextflow@XXX.iam.gserviceaccount.com. I've also tried on multiple machines (local and Github codespace). In both cases, setting $GOOGLE_APPLICATION_CREDENTIALS to nextflow@XXX.iam.gserviceaccount.com still results in an error message pointing to default@XXX.gserviceaccount.com.

I've also tried using gcloud auth activate-service-account to set the service account to nextflow@XXX.iam.gserviceaccount.com (along with $GOOGLE_APPLICATION_CREDENTIALS), but I'm still getting the same permissions error.

Expected behavior and actual behavior

Changing the GCP service account via the $GOOGLE_APPLICATION_CREDENTIALS environmental variable should actually change the service account, and not result in a PERMISSION_DENIED: error for a different service account.

Environment

  • Nextflow version: 23.10.0
  • Java version: openjdk version "21-internal" 2023-09-19
  • Operating system: Ubuntu 22.04.3
  • Bash version: 5.1.16(1)-release (x86_64-pc-linux-gnu)
@nick-youngblut
Copy link
Contributor Author

The error message appears to be a result of insufficient IAM permissions for my nextflow@XXX.iam.gserviceaccount.com service account.

If so, the error message is very misleading, since the message is referring to the wrong service account.

Currently, the Nextflow GCP docs do not include info on what IAM permissions are needed for the service account used. It would be helpful to include the permissions (roles required:

  • roles/batch.jobsEditor
    • Batch Job Editor
  • roles/batch.agentReporter
    • Batch Agent Reporter
  • roles/iam.serviceAccountUser
    • Service Account User
  • roles/logging.logWriter
    • Logs Writer
  • roles/storage.objectAdmin
    • Cloud Storage access
  • roles/artifactregistry.reader
    • Only needed if pulling Docker containers from the GCP Artifact Registry

@nick-youngblut nick-youngblut mentioned this issue Apr 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs executor/google-batch
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nick-youngblut @bentsherman