Closed jkobject closed 3 years ago
We've definitely seen this exact issue before (https://github.com/broadinstitute/gatk/issues/6349, https://github.com/broadinstitute/gatk/pull/6594) and it was caused by the lack of correct permissions. The existing roles are very confusing. Make sure you actually have the storage.buckets.get
role set. It's a feature of Storage Legacy Bucket Reader
and not part of Storage Legacy Object Reader
or Storage Viewer
. Check that your service account definitely has that role for the appropriate bucket.
Yes I know but still, I gave it Storage Legacy Bucket Reader access to both buckets.... Is it possible it can come from the gs://gcp-public-data--gnomad or gs://genomics-public-data buckets?
Interesting, it's definitely possible it's coming from one of the other buckets. I don't think we have fine grained control over WHICH bucket we attempt to read requester pays status from, so it's possible if it's enabled it's necessary to have that permission on every bucket. It's annoying that the error message doesn't say which reader is performing the access. Is there a longer stack trace available?
I can confirm it was due to "gs://gcp-public-data--gnomad" not giving the correct authorization.. I had to copy the file in my own workspace.
It seems pretty problematic as it is the recommended file to run the workflow with...
there is more to the stack trace but no information about which file/bucket is the problematic one..
it worked, now I am back on another error I had already seen before: #7494
Hi,
Using GATK mutect2's wdl file on Terra (version 21 on agora) I keep getting the same error: "pet-102022583875839491351@broad-firecloud-ccle.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket"
Here is part of the stacktrace :
This happens while it runs the command:
But I gave read (both regular and legacy) access to gs://cclebams (this is a requester pays bucket).
This was done on GATK 4.2.2 docker.
Best,