Bigquery: "User does not have bigquery.jobs.create permission" with roles/bigquery.admin
Background: I have been developing a backend for the last few days and would like to push some analytic data to BigQuery using a cloud function triggered by Firestore. I am using Terraform for the deployment.
Problem: The python script works locally with my user account (owner) without any problems. But when I use the cloud function, it cannot perform a query. For some reason, the insert works, but the query does not. I always get the error User does not have bigquery.jobs.create permission and an exception is thrown, even though the function service account has the permission "roles/bigquery.admin" in the same project.
However, this works (python):
errors = client.insert_rows_json(table_id_users, user_data)
But this does not:
query = f"SELECT user_id FROM `project-xyz.analytics.users` WHERE user_id = '{user_id}'"
query_job = client.query(query)
result = list(query_job.result())
Terraform Code for the permissions:
resource "google_bigquery_dataset_iam_binding" "editor" {
dataset_id = google_bigquery_dataset.default.dataset_id
role = "roles/bigquery.admin"
members = [
"serviceAccount:${module.my_function_2.service_account_email}",
]
}
When I click on the permission settings on the BigQuery table, I can see that the service account is listed in the BigQuery-Administrator section, which should have the bigquery.jobs.create permission.
The service account logs also says that the user account has the permission "bigquery.jobs.create" but in the same log entry the error appears:
authorizationInfo: [
0: {
resource: "projects/project-xyz"
permission: "bigquery.jobs.create"
resourceAttributes: {0}
}
]
...
...
status: {
code: 7,
message: "Access Denied: Project higym-ecafb: User does not have bigquery.jobs.create permission in project project-xyz."
}
For me it looks like everything should be fine and my function has all the permissions to do a query (the insert works), but in the end it does not work.
I also noticed that the service account created with Terraform does not appear in the IAM view. Only on the service accounts page they are visible.
Is there anything else I can try? What are the next steps on how I can debug this problem? Maybe i have overlooked something fundamental.
Thank You for your help!
Edit: I found the problem. In teraform the role must be specified for iam and bigquery. Only one of them is not enough.
resource "google_bigquery_dataset_iam_member" "admin" {
dataset_id = google_bigquery_dataset.default.dataset_id
role = "roles/bigquery.admin"
member = "serviceAccount:${module.my_function_2.service_account_email}"
}
resource "google_project_iam_member" "admin" {
project = var.project_id
role = "roles/bigquery.admin"
member = "serviceAccount:${module.my_function_2.service_account_email}"
}
To work correctly, you have to be sure the service account that is admin of the BigQuery table, is also correctly assigned to the Cloud Function.
The Cloud Function should have the right to execute the needed action on your resources.
You can check that in the Cloud Function details tab :
- Create a new column of dictionaries where keys are in another column of lists, and values are found by looking up the keys in another column
- When I create an array of Numpy floats, I get an array of Python floats
- Download an image from image url
- Regarding good coding practices, what is meant by "Useless return at end of function and method"?
- Can the * (unpacking) operator be typed in Python? Or any other variadic args function such that all variadic types are in the result type?
- Why does using the GPU cause a slowdown when performing svd on a double-precision array?
- Python convert mm/dd/yyyy to yyyymmdd using date_format
- Python Webscraping: grequests vs. mult-threaded requests?
- With python sh module, how to preserve combined stdout and stderr?
- How to suppress py.test internal deprecation warnings
- Python: check for data type in list
- Why does inspect identify decorated methods as functions instead of methods in Python?
- Pycharm stopped displaying import errors
- Strange session behaviour with a Flask app on Heroku
- NameError: name 'Frame' is not defined (Python)
- Is there difference between _function and function?
- Does Python have an ordered set?
- Create JSON from CSV and add some header lines with Pandas
- How can I get the date from weeknr and year using strptime
- Python error with request post : 'Connection aborted, timeout('The write operation timed out')
- Why is this monkeypatch in pytest not working?
- Find common characters between two strings
- SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
- python equivalent to clojure's partition-all?
- python equivalent of java OutputStream?
- Python TimedRotatingFileHandler overwrites logs
- python 2.7 equivalent of built-in method int.from_bytes
- Getting all combinations of key/value pairs in a Python dict
- how to run a django python file from command line
- Why do I get this DBeaver error when importing data from a CSV file?