GCP Pubsub Bigquery Subscriptions - can't create due to missing permissions
I get an error (in red, in picture below) whilst creating pubsub Bigquery subscription. Error shows up in subscription creation view:
First question - why is this error appears in the first place?
One of my attempts to solve this was to try to first create standard subscription, then add these missing permissions by assigning a role using such command:
gcloud pubsub subscriptions add-iam-policy-binding EventIngestSubscription-4475d78 --member=serviceAccount:[email protected] --role="roles/roles/bigquery.dataEditor", but this produces ERROR: (gcloud.pubsub.subscriptions.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/bigquery.dataEditor is not supported for this resource. error.
When I tried to set pubsub.subscriber roles instead of bigquery.admin - it worked.
Thanks a lot on any insights and suggestions on how to create a Bigquery Subscription. Am really stuck with this one...
The permission that needs to be set is not on the subscription, it is on the BigQuery table itself. Therefore, you are not going to be able to set the BigQuery permissions on the subscription. Instead, you need to ensure that the service account has roles/bigquery.dataEditor on the table you are using with the subscription. You can do this with the bq command-line tool:
bq add-iam-policy-binding --member="serviceAccount:service-<project number>@gcp-sa-pubsub.iam.gserviceaccount.com" --role=roles/bigquery.dataEditor -t "<dataset>.<table>"
This permission is needed so that Pub/Sub can write to BigQuery on your behalf.
- Terraform - GCP - Import project IAM member
- Getting random "User not found in file /etc/passwd" error on Cloud Run Job
- Change time format in GCP Logs Explorer
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Deploying a pelican site to Google Cloud Run with Dockerfile not working
- Is there a good explanation of resource labels versus metric labels?
- Why do I set the resource type when writing the metric but not when creating a descriptor?
- google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- How to list all enabled API services for Google Cloud Platform project
- Google Cloud calendar API connection error
- Downloading a folder from cloud storage in GitHub action and move it inside a docker container is not working
- How to fix CloudRun error 'The request was aborted because there was no available instance'
- Google Cloud Build with Dockerfile and copy files
- Firebase CLI console: Cannot find module @google-cloud/tasks
- Does Cloud SQL have a query console or is CLI the only option?
- How to use Google Cloud Shell with the new Windows Terminal
- Why does GKE kubernetes cluster need a version?
- Unable to Read Mounted GCSFuse Directory After Adding --implicit-dirs Option
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- Connection between Private GKE and Cloud SQL
- Kubernetes cluster architecture
- Validating PubSub message against AVRO JSON schema with multiple union types
- Can i run cloud run jobs locally
- How to log SSL/TLS Handshake details on Google Cloud Load Balancer
- Utilizing Gemini: Through Vertex AI or through Google/generative-ai?
- How to use Puppeteer in 2nd gen Cloud Functions?
- GCP Logging: who created a Project?
- Connection broken: IncompleteRead in Google Cloud Run
- How do I query firestore data that is inside collections in said document?