stackoom
  简体   繁体   中英

BQ Schedule Queries with Deployment Manager: “P4 service account needs iam.serviceAccounts.getAccessToken permission”

 原文  2019-09-25 05:27:38       google-cloud-platform/ google-bigquery/ schedule/ data-transfer/ google-deployment-manager

Question

I'm trying to create a deployment manager template for bigquery data transfer to initiate a scheduled query. I've created a type provider for transfer configs and when I call the type provider for a scheduled query, I get the following error: "P4 service account needs iam.serviceAccounts.getAccessToken permission."

However, I've already given it 'Service Account Token Creator' permission on with "gcloud project add-iam-policy-binding.." How else would I be able to solve this?

Type Provider:

- name: custom-type-provider
  type: deploymentmanager.v2beta.typeProvider
  properties:
    descriptorUrl: "https://bigquerydatatransfer.googleapis.com/$discovery/rest?version=v1"
    options:
      inputMappings:
      - fieldName: Authorization
        location: HEADER
        value: >
          $.concat("Bearer ", $.googleOauth2AccessToken())

Calling the type provider:

- name: test
  type: project_id:custom-type-provider:projects.transferConfigs
  properties:
    parent: project/project_id
    ..
    ..

1 answers

solution1
 0  2019-09-26 13:42:12

I think you've hit a limitation on Scheduled Queries, where you have to use user accounts instead of service accounts in order to do the queries.

There is a feature request to allow service accounts to act on behalf for this particular action.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run iam.serviceAccounts.getIamPolicy is required to perform this operation on service account (GCP, Terraform) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on (Terraform, GCP) Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account projects/myproject-17 GCP grant a service account permission to write in a GCS bucket with Deployment Manager Unable to assign iam.serviceAccounts.signBlob permission Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error How to add IAM policy binding to a service account using Google Cloud Deployment Manager? why service account user role(roles/iam.serviceAccountUser) is not required when creating resources with deployment manager template?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM