Search code examples
javagoogle-cloud-platformgoogle-bigquerygoogle-iam

Google Cloud BigQuery Admin service account gets "does not have bigquery.jobs.create permission"

I'm new to Google Cloud & BigQuery. I reviewed the dozen other questions that seem to be related and have not seen what I'm missing from those answers. I'm trying to query a public dataset.

The error:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Access Denied: Project airy-advantage-235802: The user kafka-learning@airy-advantage-235802.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project airy-advantage-235802.",
    "reason" : "accessDenied"
  } ],
  "message" : "Access Denied: Project airy-advantage-235802: The user kafka-learning@airy-advantage-235802.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project airy-advantage-235802."
}
    at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:150)
    at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
    at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:401)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1132)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:499)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:432)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:549)
    at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.create(HttpBigQueryRpc.java:183)

What I've done:

  1. Created new Google Cloud account
  2. Created new project, which Google assigned the project ID airy-advantage-235802, project name is Kafka Learning.
  3. Created a service account kafka-learning@airy-advantage-235802.iam.gserviceaccount.com
  4. Granted that user the BigQuery Admin role within the project (I originally tried BigQuery User and BigQuery Data Viewer)
  5. I saved the JSON credentials file to a local folder
  6. I set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path to the JSON file
  7. I have a tiny Java project to query a public dataset
  8. Received above error
  9. Verified billing is enabled (as far as I can tell, see below)

Is there a step I missed?

Google Cloud Project setup

Service Account Setup

enter image description here

var bigquery = BigQueryOptions.getDefaultInstance().getService();
var query = "SELECT * FROM `bigquery-public-data.google_analytics_sample.ga_sessions_20160801` LIMIT 10";
var queryConfig = QueryJobConfiguration.newBuilder(query).build();
var table = bigquery.query(queryConfig);

I've also tried explicitly setting the project id (which is also in the json file) by changing the builder to this:

var bigquery = BigQueryOptions.newBuilder().setProjectId("airy-advantage-235802").build().getService();
Solution

  • This usually happens when you delete and create a service account with the same name as the "new" service account may have old roles binding to it. Thus, you could:

    • Use a new service account
    • Explicitly removing any bindings granting that role to the service account
    • Re-granting those roles to the "new" service account.

    For more information, you could check this link

    Hope it helps.