1

i've a problem to run a job in google dataprep.

I set up a connection through an external database on google sql. In big query I imported the database connection. In google data prep I selected the table to do some operations. I tried to create a very simple flow by joining two tables. After that, run job. By doing the first "tour" I ran a test job and it worked properly. I can't get it working, although the account is owner . I've tried with another account to which I gave owner permissions.

The error code I see in the job run logs is:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Access Denied: Project nameproject: User does not have bigquery.jobs.create permission in project nameprogect.",
    "reason" : "accessDenied"
  } ],
  "message" : "Access Denied: Project nameproject: User does not have bigquery.jobs.create permission in project nameproject.",
  "status" : "PERMISSION_DENIED"
}

ps: I'm not working with the API but directly in the google data prep panel.

I checked the google documentation but I didn't find much, besides the fact that to run the jobs you have to be the owner of the project.

My user has User permission of big query "Access to run jobs"

Thank you for the help.

Matteo

Matteo Mangia
  • 23
  • 4

2 Answers2

2

bigquery.jobs.create is a role assigned to:

  • BigQuery Admin
  • BigQuery Job User
  • BigQuery User

You'll need to assign one of these roles to the account running the tasks to proceed past this error. You can go to IAM & Admin > Roles in the GCP panel to look at which roles are assigned to particular titles, a handy way to see which levels you may need to grant.

Ben P
  • 3,267
  • 4
  • 26
  • 53
  • Thanks for your answer. In IAM, by checking my user I gave BigQuery Job User, BigQuery User and BigQuery Admin. Actually in the rules tab next to members, I see my user assigned to those services. I tried to do another run job but it fails in the same way – Matteo Mangia Feb 03 '20 at 10:42
  • If this is the case, then the job must be running on a different user account? Are you certain you are running it on the user with these permissions? – Ben P Feb 03 '20 at 11:04
  • Yes, in IAM> members, I see my user with these permissions: BigQuery Admin , BigQuery Job User, BigQuery User, Dataflow Worker, Owner. I was reading this documentation-> https://cloud.google.com/dataprep/docs/concepts/iam . I don't seem to have ever approved trifacta for the project. However, the first owner of the project has the same problem. In theory, being owner, I shouldn't assign myself other permissions, I should have access to everything. Is there a google command line way of figuring out what the problem might be? – Matteo Mangia Feb 03 '20 at 11:14
0

The bigquery.jobs.create permission has to be assigned to the compute service account PROJECT_NUMBER-compute@developer.gserviceaccount.com.

Try to add to that service account the permissions:

  • Storage/Storage Object Viewer
  • BigQuery/BigQuery User

You can do it by going to the Hamburger Menu in the Console->IAM & Admin->IAM and clicking on the pencil icon at the right side of the service account.

Enrique Zetina
  • 825
  • 5
  • 16