Authenticating the Service Account and Performing a Simple Query

0
votes

I have a service account provided by a vendor client

I'm using the .NET API to pull data from their database with the service account they provided I'm trying to run a simple query "select name from [projectId].[datasetId].[table]" And I'm getting the following error:

Access Denied: Project [projectId]: User does not have bigquery.jobs.create permission in project [projectId]. [403]
Errors [
    Message[Access Denied: Project [projectId]: User does not have bigquery.jobs.create permission in project [projectId].] Location[ - ] Reason[accessDenied] Domain[global]
]
  1. How can I check my service account permissions?
  2. How can I authenticate my service account?
  3. The only way to perform a 'select' is with a job permission?
1
authenticationgoogle-cloud-platformpermissionsgoogle-bigquerygcloud
Does the vendor send you a service account key file? And do you have your own GCP subscription (even free)?guillaume blaquiere
The problem was with my permissions. I asked the vendor to provide them to meBruno Magalhães

1 Answers

1
votes
  1. There are a variety of ways to test IAM permissions on the documentation website. Using curl you would do:
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://cloudresourcemanager.googleapis.com/v1/projects/project-id:testIamPermissions

Although you already know what permissions are missing so you need to ask you vendor client to provide BigQuery access. To add access the instructions are here.

  1. As far as authenticating, you just send the service account json key in or authenticate via SDK, depending on how you are accessing it, but generally you are somehow either sending your json key or pointing out the json key location to the SDK.

  2. There are a number of ways to query BigQuery but all of them are through a "job" which is the query itself being sent in.