I am in a google cloud service project which is attached to a host subnet.
I have verified that it's possible to use the subnet to make simple compute engine VM's.
However, when I attempt to create a dataproc cluster I am unable to. I can confirm that in the service project (my project where dataproc is attempted to be created), my Service Accounts have the correct roles necessary. The same can be said for the corresponding host project hosting the subnet, whereby the service accounts have compute network user roles also.
Here are the SA's
1: A power user on the command line who has access to all necessary roles. I have passed in a purpose built SA with dataproc worker and compute network user.
2: Default compute agent service account (project-id-compute@developer.gserviceaccount.com), configured to have compute network user and dataproc worker. (it has user in the host subnet project as well)
3: The Google API's Service Agent (project-id@cloudservices.gserviceaccount.com) which has an editor role in the service project AND in the host subnet project.
Despite all these permissive role promotions in these projects we continually get the following error:
ERROR: (gcloud.dataproc.clusters.create) Operation [projects/my-project/regions/my-consistent-region/operations/my-operation] failed: Required 'compute.subnetworks.use' permission for 'projects/host-project/regions/my-consistent-region/subnetworks/snet-my-snet'.
The errors and logs do not show which IAM principal is affected here though. I have tried dataproc's --service-account flag, but I do not think this has any role in it. The service agent and default compute agent also has permissive role bindings also.
