cloud spanner IAM permission denied

0
votes

When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:

spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."

The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/

I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.

my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.

2
gogoogle-cloud-platformgoogle-cloud-spanner
oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?rkansola

2 Answers

1
votes

Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles

Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).

You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.

Consider this scenario:

  • your gcloud SDK may be well credentialed with person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud
  • the VM hosting your code and SDK is running as 12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.

More information on Service Accounts here: https://cloud.google.com/compute/docs/access/service-accounts

1
votes

Probably you didn't add access to your database tododb for account in the file pointed by GOOGLE_APPLICATION_CREDENTIALS. Use, for example, Cloud Spanner Database User role for this account in Google Console.