While configuring your Google BigQuery connection, you may encounter several issues. Understanding these common errors can help streamline the setup process and facilitate quick resolutions.
Wrong permissions
Error message
{%docs-informer error%}
Checking connection failed: Access denied: Dataset <your-project-name>:<your-dataset>: Permission bigquery.tables.create denied on dataset <your-project-name>:<your-dataset> (or it may not exist).
{%docs-informer-end%}
Solution
You can follow our step-by-step guide below to make sure that your Service account has sufficient permissions and is created correctly.
Step 1. Check if the correct principal for the project is specified.
Step 2. To create a new Service account, you need to access the corresponding section in the Google Cloud Console using the left navigation panel:
Step 3. There would be an option to create a new Service account:
Note: Please, do not use the ```improvado-gcs-loader``` name since it would be confusing. We use this account in our internal green-post project.
Step 4. Assign necessary permissions to the created service account in the IAM section. You can find a list of required permissions here.
Step 5. Once the service account is created, the new JSON key will be automatically generated.
Note: If you need to reissue the key, it could be done on the same screen using the three dots menu on the newly created service account:
Wrong input data
Wrong Dataset Name
Wrong Project ID
Wrong Private key
Wrong format of GBQ credentials
Error messages:
{%docs-informer error%}
"Dataset [name] not found.""Project [ID] is not found. Make sure it references valid GCP project that hasn't been deleted.""Wrong private key. Please check that your JSON-file with credentials is valid.""GBQ credentials have wrong format: No key could be detected. Incorrect padding."
{%docs-informer-end%}
General solution
Verify Data and Configuration:
Wrong Dataset Name: Ensure the dataset name, like 'gbq-sender-test-project:asdf', exists in your Google BigQuery setup.
Wrong Project ID: Check if the project ID, such as 'wrong-project-id', is correctly specified and the project is active in Google Cloud Platform.
Wrong Private Key (Type 1 and 2): Review your JSON credentials file for any mistakes. Ensure that the private key is correctly formatted and includes all necessary details. Look for errors like a missing key or incorrect padding.
Update Configuration and Data Entries: Correct any inaccuracies in dataset names, project IDs, and private key details.
{%docs-informer error%}
"The specified bucket does not exist. Bucket name: wrong_bucket_name ""Invalid JWT Signature or Service Account not found.""Specified AWS account ID not found in the configured identity provider "
{%docs-informer-end%}
General solution
Verify and Update Service Account Details: Double-check all service account details for accuracy, including bucket names and email addresses.
Check Account and Key Status: Ensure the service account and its keys are active and have not been deleted or disabled.
WIF authentication errors
Wrong service account email
Wrong AWS Provider ID
Wrong Workload Pool ID
Wrong Project Number
Wrong Project ID
Error messages:
{%docs-informer error%}
"Please check the specified account Email""Specified AWS account ID not found""Wrong workload pool ID or AWS Provider ID (ID of the provider, connected to workload pool in GCP, not the Improvado AWS Account ID) ""Wrong GCP project Number. The project does not exist or has been disabled/deleted ""Wrong GCP project ID"
{%docs-informer-end%}
General solution
Verify Account Details: Double-check the email address, AWS Provider ID, Workload Pool ID, Project Number, and Project ID provided in your configuration. Ensure they are current and accurately entered.
Check Account Status: Confirm that none of the referenced accounts or IDs have been deleted or disabled in your Google Cloud Project or AWS Identity Provider settings.
Update Configuration: If any discrepancies are found, update the relevant fields with the correct information.
{%docs-informer error%}
"Please configure the attribute condition that will restrict the access to the workload pool to only one role, that name is "workload_identity_federation"."
{%docs-informer-end%}
Solution
Configure Attribute Condition:
Navigate to the Identity and Access Management (IAM) section in your Google Cloud Console.
Locate the settings for your workload identity federation setup.
In the attribute mapping configuration, set up a condition that restricts access to the workload pool specifically to the role named "workload_identity_federation."
Ensure that this condition is properly applied to prevent unauthorized access and to align with your organization's security policies.
Validate Configuration:
After setting the condition, validate your configuration to ensure that it correctly restricts access as intended.
Test the setup by attempting to access the workload pool with different roles to confirm that only the specified role has access.
Other cases related to attribute conditions
Error message:
{%docs-informer error%}
"The given credential is rejected by the attribute condition. Check your GCP Workload pool provider settings."
{%docs-informer-end%}
Solution
Review and Correct Attribute Conditions:
Access the Google Cloud Console and navigate to the IAM & Admin section.
Go to the Workload Identity Federation settings and examine the attribute conditions for your workload pool provider.
Ensure that the conditions are correctly configured to accept the credentials being used. This may involve verifying that the conditions are not too restrictive or incorrectly set up.
Validate Credentials:
Confirm that the credentials you are using match the requirements set by the attribute conditions. This includes checking the format, values, and types of the provided credentials.
Update Workload Pool Provider Settings:
If the credentials are correct but still being rejected, you may need to update the settings of your workload pool provider to align with the credentials.
This could involve adjusting the criteria or rules within the attribute conditions to ensure compatibility with the credentials being used.
{%docs-informer info%}
If none of the provided solutions worked, feel free to raise a request via the Service Desk
{%docs-informer-end%}