Heads up:
We’re moving the GATK website, docs and forum to a new platform. Read the full story and breakdown of key changes on this blog.

Workflow failing with error: cannot find credentials for RawlsUser

birgerbirger Member, Broadie, CGA-mod ✭✭✭

I am launching workflows using the firecloud API (python fiss wrapper). The workflows are being launched within a web application running on Google App Engine. The web app is running under the service account [email protected] and that service account has been granted write access to the workspace in which the workflows are launched. From the Web app I have no problems creating the sample entity on which the workflow will run, and then submitting the workflow. The workflow, however, fails with the following error message:

cannot find credentials for RawlsUser(RawlsUserSubjectId(111659084039769474560),RawlsUserEmail([email protected]))

Answers

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    That particular error message indicates that you need to refresh credentials. If you are running through the FireCloud UI, there should be a yellow banner across the page with a link to refresh your credentials. I'm unfamiliar with the API itself, but is there a way to look at the UI view of the particular workflow you're trying to run, and in that way click the link in the yellow banner?

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    These are service credentials managed by Google App Engine...I believe Google App Engine ensures it is delivering fresh credentials to targeted services.

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    I am unsure then; I will ask a developer to take a look at this particular issue.

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    According to this blog post refresh tokens have been abandoned. I am running my web app under a service account. @dvoet and @abaumann helped me to register the service account in FireCloud. The FireCloud API is having no issue with my API calls to create workspace entities or even launch a workflow...the issue appears to have arisen when the workflow is executed by rawls.

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    Our on-call dev thinks that you might have been given write permissions, but not compute permissions. Have you been able to run a workflow using this method with this service account before? If not, can you check that you have computer permissions?

  • KateNKateN Cambridge, MAMember, Broadie, Moderator admin

    I take that back. I was informed by @dvoet that, for now, service accounts cannot be used directly to launch workflows in FireCloud. Once we get fully away from refresh tokens, we will be able to enable it, but for now it simply doesn't work.

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    I have given the service account compute permissions. Attached is a screen shot of the workspace ACL:

    This is my first time running this method with this service account. I can run the method with my PET service account (from the GUI).

  • esalinasesalinas BroadMember, Broadie ✭✭✭
    edited February 2018

    According to this link, service accounts cannot launch method configurations.

    https://github.com/broadinstitute/firecloud-tools/tree/master/scripts/register_service_account

    -eddie

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    That was before the introduction of PET accounts. (I had been consulting with DSDE on this project, and no one informed me this restriction would be carried through into last week's PET service account release.) The current issue is not with the launching of workflows (I can successfully launch the workflow), but with the internal communications between rawls and agora (the workflow fails when rawls in unable to retrieve the WDL from agora). There are plans for addressing this, but not in the timeframe I need. @dvoet is creating an interim workaround for me.

  • esalinasesalinas BroadMember, Broadie ✭✭✭

    @birger I'm glad a work-around is in progress!

Sign In or Register to comment.