Closed juhawilppu closed 6 years ago
Hi, I see you've indeed created a service account and gotten a json file, but I'm not seeing how you're passing it to Cromwell.
Your configuration uses application_default
as authentication mode, and you are logged in using your personal gmail it seems.
Did you use this json in any way ?
To use the service account in Cromwell you'd want to either
1 - Recommended) Change your configuration to use the service account instead of application default
You can see how to do that here
It is slightly outdated, instead of pem-file
use json-file
and the path to your json.
2) You can keep application default and use gcloud auth activate-service-account
to authenticate as the service account on your machine.
Also could you print the result of gcloud auth list
?
I got it working now by setting the service-account in google.conf
. Excellent, thanks for your help!
I was looking into the wrong place: I didn't realize that Cromwell did not find the account at all, I thought it just had a problem with access rights.
To answers to your questions, I had set the environment variable
export GOOGLE_APPLICATION_CREDENTIALS=/Users/jwilppu/cromwell/project-test1-59b66448c3ab.json
by following these instructions https://cromwell.readthedocs.io/en/develop/tutorials/PipelinesApi101/ which has a link to this page https://cloud.google.com/docs/authentication/production .
The result of command gcloud auth list
is
Credentialed Accounts
ACTIVE ACCOUNT
* juha.wilppu@gmail.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
I have now removed the environment variable.
That's good to know thanks, looks like the docs need an update :) I'm going to close this ticket, don't hesitate to re-open it if you run into the same issue again.
Hmm, this seems a bit odd. The application_default
authentication should still work with a service account, as long as you set the $GOOGLE_APPLICATION_CREDENTIALS
variable is set, which @juhawilppu seems to have done here. I had this same issue, where my service account only worked once I used a scheme = "service_account"
, but that seems like something is implemented wrongly.
I had the same issue. I got the same error message:
[2020-07-27 18:34:00,37] [error] PipelinesApiAsyncBackendJobExecutionActor [3d2d7a27wf_hello.hello:NA:1]: Error attempting to Execute
cromwell.engine.io.IoAttempts$EnhancedCromwellIoException: [Attempted 1 time(s)] - StorageException: xxx@xxx.iam.gserviceaccount.com does not have serviceusage.services.use access to the Google Cloud project.
Caused by: com.google.cloud.storage.StorageException: xxx@xxx.iam.gserviceaccount.com does not have serviceusage.services.use access to the Google Cloud project.
I had set up my credentials with:
export GOOGLE_APPLICATION_CREDENTIALS=sa.json
and had this configuration in google.conf
copied from the tutorial:
google {
application-name = "cromwell"
auths = [
{
name = "application-default"
scheme = "application_default"
}
]
}
engine {
filesystems {
gcs {
auth = "application-default"
project = "xxx"
}
}
}
That clearly did not work. I tried to follow the logic in this post. I followed Horneth suggestion to use service-account
's authorization and I took the auths configuration and changed pem-file
to json-file
in google.conf
as follows:
google {
application-name = "cromwell"
auths = [
{
name = "service_account"
scheme = "service_account"
service-account-id = "xxx@xxx.iam.gserviceaccount.com"
json-file = "sa.json"
}
]
}
engine {
filesystems {
gcs {
auth = "service_account"
project = "xxx"
}
}
}
And I have replaced every other instance of auth = "application-default"
with auth = "service_account"
. Now when I run Cromwell:
java -Dconfig.file=google.conf -jar cromwell-52.jar run hello.wdl -i hello.inputs
I don't get the error anymore. I do get a different error:
[2020-07-27 22:54:56,48] [info] WorkflowManagerActor Workflow 0fb5e69d-7d70-407e-9fe2-bf7cb2b2c3e6 failed (during ExecutingWorkflowState): java.lang.Exception: Task wf_hello.hello:NA:1 failed. The job was stopped before the command finished. PAPI error code 7. Required 'compute.zones.list' permission for 'projects/xxx'
I don't know what this means.
If I remove Requester pays
from the bucket I can get the WDL to work using scheme = "application_default"
, as long as I do not export GOOGLE_APPLICATION_CREDENTIALS
first. But if I use Requester pays
on the bucket, using scheme = "application_default"
causes error:
[2020-07-27 23:19:31,90] [info] WorkflowManagerActor Workflow 4c8a642a-19a6-486b-acad-e0adf3168820 failed (during ExecutingWorkflowState): java.lang.Exception: Task wf_hello.hello:NA:1 failed. The job was stopped before the command finished. PAPI error code 10. 15: Gsutil failed: failed to upload logs for "gs://xxx/cromwell-execution/wf_hello/4c8a642a-19a6-486b-acad-e0adf3168820/call-hello/": cp failed: gsutil -h Content-type:text/plain -q -m cp /var/log/google-genomics/*.log gs://xxx/cromwell-execution/wf_hello/4c8a642a-19a6-486b-acad-e0adf3168820/call-hello/, command failed: BadRequestException: 400 Bucket is requester pays bucket but no user project provided.
So I still have not found a way to run the WDL with Requester pays
on. I wish Cromwell could give errors explaining what steps to take to solve the issue ... I know that with gsutil
I can specify the user project with -u xxx
but I have no idea how to do that with Cromwell.
Two days ago I successfully ran my first wdl on Cromwell using the Google Pipelines API. Then I tried to change my service account and it broke. I'm not able to get it running anymore at all. Stacktrace can be seen below, the error is "Scopes not configured for service account."
stdout
I also tried on another computer and another GCP project just to verify that it is not a cache problem. I don't know what is wrong. Seems like the service account has a problem, but I did everything the same way as when it worked.
Some detailed information:
I have tried Cromwell 31.1 and 31.
I start Cromwell using this command
java -Dconfig.file=google.conf -jar cromwell-31.jar server
google.conf (I have changed the actual project name to generic "project")
I created the service account from https://cloud.google.com/docs/authentication/getting-started and give the role: Project -> Owner.
I've downloaded Google Cloud SDK and run these
project-test1-59b66448c3ab.json