service accounts, proxy groups ... recently lost access to data

Chip

Recently a user (Eric - @ericco92 from NCI) lost ability run jobs in workspace rebc-oct16/rebc_template using data located on the google bucket corresponding to workspace firehose-to-firecloud/REBC_Chanock_NCI. Eric has been able run jobs from this workspace on this data for several months but suddenly not this week. The error message was: "Error: insufficient permissions to perform operation on rebc-oct16/rebc_template"

Based on https://gatkforums.broadinstitute.org/firecloud/discussion/11320/insufficient-permission-to-perform-operation-in-a-workspace-that-i-am-owner-of , Eric thought this was due to not being listed on the billing process access list, bur Eric is a user on the REBC billing project - so that can't be the problem.

Could this be due to the changes described recently in https://software.broadinstitute.org/firecloud/blog?id=11342 ? I added Eric's Proxy group id with access to both firehose-to-firecloud/REBC_Chanock_NCI (reader) and to rebc-oct16/rebc_template (writer). Despite this, Eric is still unable to run jobs.

What is the correct procedure to allow Eric to run jobs again ?

ericco92

A bit more information on the behavior:

• I am an owner on the workspace.
• I can't run any jobs at all (not just the new tool). Workflows that used to work all give me 403 errors now.
• My profile doesn't list any billing projects (I don't have any of my own, but should be on the REBC one)

Chip

Hi

Can we bump up the the help-priority of this issue ? We are dead in the water with a very important project.

Thanks,

Chip

abaumann

I can help debug this to unblock you and let the team know what the findings were - can we take this to email so I can ask for some specific details?

abaumann

We figured this out - Eric was not on the projects associated with these workspaces, which didn't allow him to run compute