cloud spanner IAM permission denied












0















When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:



spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."


The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/



I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.



my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.






go google-cloud-platform google-cloud-spanner







share|improve this question























  • oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?

    – rkansola
    Nov 25 '18 at 2:37


















0















When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:



spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."


The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/



I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.



my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.






go google-cloud-platform google-cloud-spanner







share|improve this question























  • oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?

    – rkansola
    Nov 25 '18 at 2:37
















0












0








0








When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:



spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."


The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/



I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.



my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.






go google-cloud-platform google-cloud-spanner







share|improve this question














When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:



spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."


The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/



I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.



my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.






go google-cloud-platform google-cloud-spanner




go google-cloud-platform google-cloud-spanner






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 25 '18 at 1:12









Dylan MeeusDylan Meeus

4,39812037




4,39812037













  • oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?

    – rkansola
    Nov 25 '18 at 2:37





















  • oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?

    – rkansola
    Nov 25 '18 at 2:37



















oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?

– rkansola
Nov 25 '18 at 2:37







oops, fat finger.. cloud.google.com/spanner/docs/getting-started/go/… seems to work for me. How about gcloud auth application-default login?

– rkansola
Nov 25 '18 at 2:37














1 Answer
1






active

oldest

votes


















1














Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles



Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).



You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.



Consider this scenario:




  • your gcloud SDK may be well credentialed with person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud

  • the VM hosting your code and SDK is running as 12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.


More information on Service Accounts here:
https://cloud.google.com/compute/docs/access/service-accounts






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53463852%2fcloud-spanner-iam-permission-denied%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles



    Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).



    You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.



    Consider this scenario:




    • your gcloud SDK may be well credentialed with person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud

    • the VM hosting your code and SDK is running as 12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.


    More information on Service Accounts here:
    https://cloud.google.com/compute/docs/access/service-accounts






    share|improve this answer




























      1














      Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles



      Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).



      You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.



      Consider this scenario:




      • your gcloud SDK may be well credentialed with person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud

      • the VM hosting your code and SDK is running as 12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.


      More information on Service Accounts here:
      https://cloud.google.com/compute/docs/access/service-accounts






      share|improve this answer


























        1












        1








        1







        Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles



        Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).



        You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.



        Consider this scenario:




        • your gcloud SDK may be well credentialed with person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud

        • the VM hosting your code and SDK is running as 12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.


        More information on Service Accounts here:
        https://cloud.google.com/compute/docs/access/service-accounts






        share|improve this answer













        Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles



        Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).



        You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.



        Consider this scenario:




        • your gcloud SDK may be well credentialed with person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud

        • the VM hosting your code and SDK is running as 12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.


        More information on Service Accounts here:
        https://cloud.google.com/compute/docs/access/service-accounts







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 27 at 15:24









        Ilya ZakreuskiIlya Zakreuski

        1,157617




        1,157617
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53463852%2fcloud-spanner-iam-permission-denied%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Wiesbaden

            Image
            Wappen Deutschlandkarte 50.0825 8.24 117 Koordinaten: 50° 5′  N , 8° 14′  O Basisdaten Bundesland: Hessen Regierungsbezirk: Darmstadt Höhe: 117 m ü. NHN Fläche: 203,93 km 2 Einwohner: 278.654 (31. Dez. 2017) [1] Bevölkerungsdichte: 1366 Einwohner je km 2 Postleitzahlen: 65183–65207, 55246, 55252 Vorlage:Infobox Gemeinde in Deutschland/Wartung/PLZ enthält Text Vorwahlen: 0611, 06122, 06127, 06134 Kfz-Kennzeichen: WI Gemeindeschlüssel: 06 4 14 000 LOCODE: DE WIB NUTS: DE714 Stadtgliederung: 26 Ortsbezirke Adresse der Stadtverwaltung: Schlossplatz 6 65183 Wiesbaden Webpräsenz: www.wiesbaden.de Oberbürgermeister: Sven Gerich (SPD) Lage der Landeshauptstadt Wiesbaden in Hessen und im Regierungsbezirk Darmstadt Offizielles Logo der Landeshauptstadt Wiesbaden Flagge der Landeshauptstadt Wiesbaden Wiesbaden is
            Read more

            Marschland

            Image
            Kilometerweite Marsch in den Vier- und Marschlanden am Elbdeich Die Wedeler Marschlandschaft in Schleswig-Holstein Der Hadelner Kanal zur Entwässerung der Marsch Die tief gelegene Marsch und ein Entwässerungskanal Das Schöpfwerk Otterndorf im Land Hadeln zur Entwässerung der Medem verfügte damals bereits über die größte Kreiselpumpe Europas. Das Schöpfwerk in Neuhaus für die Aue und des Neuhaus-Bülkauer Kanals Als Marsch(land) (v. niederdt., altsächs. mersc ) – auch Masch , Mersch oder Schwemmland genannt – bezeichnet man eine nacheiszeitlich entstandene geomorphologische Landform im Gebiet der nordwestdeutschen Küsten und Flüsse sowie vergleichbare Landformen weltweit. Inhaltsverzeichnis 1 Landschaft 2 Entstehung 3 Marschböden 4 Nutzung 5 Marschgebiete in Deutschland 6 Siehe auch 7 Literatur 8 Weblinks 9 Einzelnachweise Landschaft | Marschen sind generell flache Landstriche ohne natürliche Erhebungen. Si
            Read more

            Dieringhausen

            Image
            Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
            Read more