Documentation

Google BigQuery - Troubleshooting

Updated on

Dec 13, 2023

While configuring your Google BigQuery connection, you may encounter several issues. Understanding these common errors can help streamline the setup process and facilitate quick resolutions.

Wrong permissions

Error message

{%docs-informer error%} Checking connection failed: Access denied: Dataset <your-project-name>:<your-dataset>: Permission bigquery.tables.create denied on dataset <your-project-name>:<your-dataset> (or it may not exist). {%docs-informer-end%}

Solution

You can follow our step-by-step guide below to make sure that your Service account has sufficient permissions and is created correctly.

Step 1. Check if the correct principal for the project is specified.

Step 2. To create a new Service account, you need to access the corresponding section in the Google Cloud Console using the left navigation panel:

Step 3. There would be an option to create a new Service account:

Note: Please, do not use the ```improvado-gcs-loader``` name since it would be confusing. We use this account in our internal green-post project.

Step 4. Assign necessary permissions to the created service account in the IAM section. You can find a list of required permissions here.

Step 5. Once the service account is created, the new JSON key will be automatically generated.

Note: If you need to reissue the key, it could be done on the same screen using the three dots menu on the newly created service account:

Wrong input data

  • Wrong Dataset Name
  • Wrong Project ID
  • Wrong Private key
  • Wrong format of GBQ credentials

Error messages:

{%docs-informer error%} "Dataset [name] not found." "Project [ID] is not found. Make sure it references valid GCP project that hasn't been deleted." "Wrong private key. Please check that your JSON-file with credentials is valid." "GBQ credentials have wrong format: No key could be detected. Incorrect padding." {%docs-informer-end%}

General solution

Verify Data and Configuration:

  • Wrong Dataset Name: Ensure the dataset name, like 'gbq-sender-test-project:asdf', exists in your Google BigQuery setup.
  • Wrong Project ID: Check if the project ID, such as 'wrong-project-id', is correctly specified and the project is active in Google Cloud Platform.
  • Wrong Private Key (Type 1 and 2): Review your JSON credentials file for any mistakes. Ensure that the private key is correctly formatted and includes all necessary details. Look for errors like a missing key or incorrect padding.
  • Update Configuration and Data Entries: Correct any inaccuracies in dataset names, project IDs, and private key details.

Refer to the Setup Guide Documentation.

Service account errors

  • Wrong bucket name
  • The auth key has been deleted
  • The Account has been disabled or deleted

Error messages:

{%docs-informer error%} "The specified bucket does not exist. Bucket name: wrong_bucket_name " "Invalid JWT Signature or  Service Account not found." "Specified AWS account ID not found in the configured identity provider " {%docs-informer-end%}

General solution

  • Verify and Update Service Account Details: Double-check all service account details for accuracy, including bucket names and email addresses.
  • Check Account and Key Status: Ensure the service account and its keys are active and have not been deleted or disabled.

WIF authentication errors

  • Wrong service account email  
  • Wrong AWS Provider ID
  • Wrong Workload Pool ID
  • Wrong Project Number
  • Wrong Project ID

Error messages:

{%docs-informer error%} "Please check the specified account Email" "Specified AWS account ID not found" "Wrong workload pool ID or AWS Provider ID (ID of the provider, connected to workload pool in GCP, not the Improvado AWS Account ID) " "Wrong GCP project Number. The project does not exist or has been disabled/deleted " "Wrong GCP project ID" {%docs-informer-end%}

General solution

  • Verify Account Details: Double-check the email address, AWS Provider ID, Workload Pool ID, Project Number, and Project ID provided in your configuration. Ensure they are current and accurately entered.
  • Check Account Status: Confirm that none of the referenced accounts or IDs have been deleted or disabled in your Google Cloud Project or AWS Identity Provider settings.
  • Update Configuration: If any discrepancies are found, update the relevant fields with the correct information.

Learn more in our setup guide.

Attribute mapping setup error

Error message:

{%docs-informer error%} "Please configure the attribute condition that will restrict the access to the workload pool to only one role, that name is "workload_identity_federation"." {%docs-informer-end%}

Solution

Configure Attribute Condition:

  • Navigate to the Identity and Access Management (IAM) section in your Google Cloud Console.
  • Locate the settings for your workload identity federation setup.
  • In the attribute mapping configuration, set up a condition that restricts access to the workload pool specifically to the role named "workload_identity_federation."
  • Ensure that this condition is properly applied to prevent unauthorized access and to align with your organization's security policies.

Validate Configuration:

  • After setting the condition, validate your configuration to ensure that it correctly restricts access as intended.
  • Test the setup by attempting to access the workload pool with different roles to confirm that only the specified role has access.

Other cases related to attribute conditions  

Error message:

{%docs-informer error%} "The given credential is rejected by the attribute condition. Check your GCP Workload pool provider settings." {%docs-informer-end%}

Solution

Review and Correct Attribute Conditions:

  • Access the Google Cloud Console and navigate to the IAM & Admin section.
  • Go to the Workload Identity Federation settings and examine the attribute conditions for your workload pool provider.
  • Ensure that the conditions are correctly configured to accept the credentials being used. This may involve verifying that the conditions are not too restrictive or incorrectly set up.

Validate Credentials:

  • Confirm that the credentials you are using match the requirements set by the attribute conditions. This includes checking the format, values, and types of the provided credentials.

Update Workload Pool Provider Settings:

  • If the credentials are correct but still being rejected, you may need to update the settings of your workload pool provider to align with the credentials.
  • This could involve adjusting the criteria or rules within the attribute conditions to ensure compatibility with the credentials being used.

{%docs-informer info%} If none of the provided solutions worked, feel free to raise a request via the Service Desk {%docs-informer-end%}

Schema information

Setup guide

Settings

No items found.

Troubleshooting

Troubleshooting guides

Check out troubleshooting guides for
Google BigQuery - Troubleshooting
here

Limits

Frequently asked questions

No items found.
☶ On this page
Description
Related articles
No items found.
No items found.

Questions?

Improvado team is always happy to help with any other questions you might have! Send us an email.

Contact your Customer Success Manager or raise a request in Improvado Service Desk.