Open nick-youngblut opened 10 months ago
The error message appears to be a result of insufficient IAM permissions for my nextflow@XXX.iam.gserviceaccount.com
service account.
If so, the error message is very misleading, since the message is referring to the wrong service account.
Currently, the Nextflow GCP docs do not include info on what IAM permissions are needed for the service account used. It would be helpful to include the permissions (roles required:
roles/batch.jobsEditor
roles/batch.agentReporter
roles/iam.serviceAccountUser
roles/logging.logWriter
roles/storage.objectAdmin
roles/artifactregistry.reader
Bug report
Prior to running my Nextflow pipeline, I'm setting my GCP service account credentials via
$GOOGLE_APPLICATION_CREDENTIALS
, as stated in the Nextflow docs.For the sake of this issue, my service account is
nextflow@XXX.iam.gserviceaccount.com
.However, when I run my Nextflow pipeline, I get the following error:
For the sake of this issue,
default@XXX.gserviceaccount.com
refers to the "default" service account that I was previously using, but I switched tonextflow@XXX.iam.gserviceaccount.com
, which has more restricted permissions.I've double checked, and
$GOOGLE_APPLICATION_CREDENTIALS
is set tonextflow@XXX.iam.gserviceaccount.com
. I've also tried on multiple machines (local and Github codespace). In both cases, setting$GOOGLE_APPLICATION_CREDENTIALS
tonextflow@XXX.iam.gserviceaccount.com
still results in an error message pointing todefault@XXX.gserviceaccount.com
.I've also tried using
gcloud auth activate-service-account
to set the service account tonextflow@XXX.iam.gserviceaccount.com
(along with$GOOGLE_APPLICATION_CREDENTIALS
), but I'm still getting the same permissions error.Expected behavior and actual behavior
Changing the GCP service account via the
$GOOGLE_APPLICATION_CREDENTIALS
environmental variable should actually change the service account, and not result in aPERMISSION_DENIED:
error for a different service account.Environment