PERMISSION_DENIED: caller does not have access to act as the specified service account:

[nick-youngblut]

Bug report

Prior to running my Nextflow pipeline, I'm setting my GCP service account credentials via $GOOGLE_APPLICATION_CREDENTIALS, as stated in the Nextflow docs.

For the sake of this issue, my service account is nextflow@XXX.iam.gserviceaccount.com.

However, when I run my Nextflow pipeline, I get the following error:

Caused by:
  PERMISSION_DENIED: caller does not have access to act as the specified service account: "default@XXX.gserviceaccount.com"

For the sake of this issue, default@XXX.gserviceaccount.com refers to the "default" service account that I was previously using, but I switched to nextflow@XXX.iam.gserviceaccount.com, which has more restricted permissions.

I've double checked, and $GOOGLE_APPLICATION_CREDENTIALS is set to nextflow@XXX.iam.gserviceaccount.com. I've also tried on multiple machines (local and Github codespace). In both cases, setting $GOOGLE_APPLICATION_CREDENTIALS to nextflow@XXX.iam.gserviceaccount.com still results in an error message pointing to default@XXX.gserviceaccount.com.

I've also tried using gcloud auth activate-service-account to set the service account to nextflow@XXX.iam.gserviceaccount.com (along with $GOOGLE_APPLICATION_CREDENTIALS), but I'm still getting the same permissions error.

Expected behavior and actual behavior

Changing the GCP service account via the $GOOGLE_APPLICATION_CREDENTIALS environmental variable should actually change the service account, and not result in a PERMISSION_DENIED: error for a different service account.

Environment

• Nextflow version: 23.10.0
• Java version: openjdk version "21-internal" 2023-09-19
• Operating system: Ubuntu 22.04.3
• Bash version: 5.1.16(1)-release (x86_64-pc-linux-gnu)

[nick-youngblut]

The error message appears to be a result of insufficient IAM permissions for my nextflow@XXX.iam.gserviceaccount.com service account.

If so, the error message is very misleading, since the message is referring to the wrong service account.

Currently, the Nextflow GCP docs do not include info on what IAM permissions are needed for the service account used. It would be helpful to include the permissions (roles required:

• roles/batch.jobsEditor
  • Batch Job Editor
• roles/batch.agentReporter
  • Batch Agent Reporter
• roles/iam.serviceAccountUser
  • Service Account User
• roles/logging.logWriter
  • Logs Writer
• roles/storage.objectAdmin
  • Cloud Storage access
• roles/artifactregistry.reader
  • Only needed if pulling Docker containers from the GCP Artifact Registry