Search code examples
google-analyticsgoogle-bigquerygoogle-cloud-iam

GA to BigQuery export. Can't change a dataset localization

I faced with the problem regarding dataset localization.

We configured the default GA360 to BigQuery export. It stored the data in dataset created in US (by default).

Then we decided to move this dataset to EU. We used this document for changing data localization: https://support.google.com/analytics/answer/7584198?hl=en&ref_topic=3416089#zippy=%2Cin-this-section%2Clocalizing-existing-exports

So I backed up the existing data, dropped the US dataset and created the dataset with the same id in EU.

Then we linked the GA view back to BigQuery project. But during data export we started getting the error message like:

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {
      "code": 7,
      "message": "IAM setPolicy failed for Dataset <PROJECT_NAME>:<VIEW_ID>: One or more users named in the policy do not belong to a permitted customer."
    },
    "authenticationInfo": {
      "principalEmail": "[email protected]"
    },
    "requestMetadata": {
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "bigquery.googleapis.com",
    "methodName": "datasetservice.insert",
    "authorizationInfo": [
      {
        "resource": "projects/<PROJECT_NAME>",
        "permission": "bigquery.datasets.create",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "projects/<PROJECT_ID>/datasets",
    "serviceData": {
      "@type": "type.googleapis.com/google.cloud.bigquery.logging.v1.AuditData",
      "datasetInsertRequest": {
        "resource": {
          "datasetName": {
            "projectId": "<PROJECT_ID>",
            "datasetId": "<VIEW_ID>"
          },
          "info": {},
          "acl": {}
        }
      },
      "datasetInsertResponse": {
        "resource": {
          "datasetName": {},
          "info": {},
          "acl": {}
        }
      }
    },
    "resourceLocation": {
      "currentLocations": [
        "US"
      ]
    }
  },
  "insertId": "<INSERT_ID>",
  "resource": {
    "type": "bigquery_resource",
    "labels": {
      "project_id": "<PROJECT_NAME>"
    }
  },
  "timestamp": "2022-02-10T10:44:23.722901Z",
  "severity": "ERROR",
  "logName": "projects/<PROJECT_NAME>/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2022-02-10T10:44:24.043846681Z"
}

The IAM setPolicy failed for Dataset <PROJECT_NAME>:<VIEW_ID>: One or more users named in the policy do not belong to a permitted customer. message basically means that our service account doesn't have permission to act on this dataset.

But if I drop this dataset from EU and recreate it back in US, the relinking succeeds.

I was looking into the constraints/iam.allowedPolicyMemberDomains, but if it were the case it wouldn't allow actions on both US and EU region datasets (not only on EU one).

I would appreciate any help, Thanks!

Solution

  • So the case was precisely in constraints/iam.allowedPolicyMemberDomains policy.

    We tried suggestions from from doc, but eventually, we had to disable this policy.