Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

PERMISSION_DENIED for google service account

See original GitHub issue

I’ve successfully subscribed to Pub?Sub service under my own user account. Howewer when i set GOOGLE_APPLICATION_CREDENTIALS env variable to point service account key file i got permission denied exception. This service account has Pub/Sub Admin role. Here is stack trace of exception:

SEVERE: terminated streaming with exception
com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: User not authorized to perform this action.
	at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:55)
	at com.google.cloud.pubsub.v1.StreamingSubscriberConnection$1.onFailure(StreamingSubscriberConnection.java:237)
	at com.google.common.util.concurrent.Futures$4.run(Futures.java:1123)
	at com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:435)
	at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:900)
	at com.google.common.util.concurrent.AbstractFuture.complete(AbstractFuture.java:811)
	at com.google.common.util.concurrent.AbstractFuture.setException(AbstractFuture.java:675)
	at com.google.common.util.concurrent.SettableFuture.setException(SettableFuture.java:53)
	at com.google.cloud.pubsub.v1.StreamingSubscriberConnection$StreamingPullResponseObserver.onError(StreamingSubscriberConnection.java:173)
	at io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:419)
	at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:41)
	at io.grpc.internal.CensusStatsModule$StatsClientInterceptor$1$1.onClose(CensusStatsModule.java:684)
	at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:41)
	at io.grpc.internal.CensusTracingModule$TracingClientInterceptor$1$1.onClose(CensusTracingModule.java:392)
	at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:475)
	at io.grpc.internal.ClientCallImpl.access$300(ClientCallImpl.java:63)
	at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.close(ClientCallImpl.java:557)
	at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.access$600(ClientCallImpl.java:478)
	at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:590)
	at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
	at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: io.grpc.StatusRuntimeException: PERMISSION_DENIED: User not authorized to perform this action.
	at io.grpc.Status.asRuntimeException(Status.java:526)
	... 19 more

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:4
  • Comments:20 (2 by maintainers)

github_iconTop GitHub Comments

8reactions
agzamovrcommented, Apr 23, 2018

No, we have decided to use RabbitMQ instead.

3reactions
PrashSicommented, Apr 20, 2018

I am also facing the same problem in production and with selective hosts. I am using the same JSON(service account credentials) on 30 different hosts and 3 of them have reported this error. This is a runtime error with a generic message. Please suggest a way to debug it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Permission denied for Service Account with enough access
I end up creating another Service Account with the exact same role attached and it works, literally a clone. Honestly not sure if...
Read more >
Requiring permission to attach service accounts to resources
For most Google Cloud services, users need permission to impersonate a service account in order to attach that service account to a resource....
Read more >
Permission Denied error received in Google Ads API, but not ...
Accounts using account OR mcc oauth credentials can access the new API fine when linked to this parent MCC. Any insight, ideas or...
Read more >
permission denied when using service account with Google ...
Please check the service account in use. There's one service account that's default for GCE and created by GCP. The other one is...
Read more >
I'm receiving a "Permission denied while getting Drive ...
Grant BigQuery service account access. ... "Permission denied while getting Drive credential" error when trying to query from Google Drive?
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Performance tests in pub/sub show that the publisher is using 50-100x more CPU than subscriber

Next page

Logging with google-cloud-logging-logback on K8S: resources.labels are empty