Latest Release: 02/19/19
Release Notes can be found here.

Running the firecloud API from a google compute instance

I have been trying to run the firecloud api tools (fiss) from my google cloud instance and have been running into some issues regarding authorization. When I do the same steps on my local computer everything works beautifully, but when running on a cloud instance I get 401 errors.

I have tried running gcloud auth login or gcloud auth application-default login and given access to the google account that I use firecloud with and I can confirm that the default account has access to our firecloud project, but when I run fissfc space_list I get an Error 401. This is also true if I call it from within python with api.list_workspaces(), I get <Response [401]>.

I have also tried using the fiss docker image, but am unsure how to authenticate within the docker environment.

Thanks for your help!

Best Answers

Answers

  • dheimandheiman Member, Broadie ✭✭
    edited September 2018

    Hi @RobinK,

    When you run gcloud auth list on your google cloud instance, does it list your account?

    I noticed when helping another user recently that gcloud auth application-default login was no longer enough to get credentials setup, I then had to specifically gcloud auth login <ACCOUNT> --activate in order to enable the use of authentication.

    The docker environment requires a running docker container, and to run the usual authentication steps from within.

    What version of fiss are you using? The latest should catch authentication errors and run the login commands for you. pip install --upgrade firecloud should grab it for you.

  • RobinKRobinK Member

    Hi @dheiman,
    Thanks for the help!
    So when I run gcloud auth list I see my account listed as ACTIVE, which stays the same after I run gcloud auth login <account> --activate.

    If I run gcloud projects list I am also able to see my organization project as well as the firecloud project.

    I am currently running fiss version 0.16.18 which I think is the newest version.

  • dheimandheiman Member, Broadie ✭✭

    @birger, you've had success running FISS from a Google Cloud Instance, haven't you? Any ideas?

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    I've run FISS from a Google Cloud Instance created for me by Google App Engine. I had to register my Google App Engine Service account with FireCloud and grant that service account WRITE privileges to the FireCloud Workspace I wanted to launch workflows in. Google App Engine handled all of the credential management for me vis a vis FISS.

  • RobinKRobinK Member

    @birger, that makes sense. Thanks for your comment. Do you know how to add a service account access to firecloud? I have tried to add it to a billing project and it comes up not found, and if I try to register a new firecloud account for it, I am told the email special character - is invalid. The service account is formatted: [email protected] (with the zeros changed).

  • RobinKRobinK Member

    Hi @birger I think the forum went down during this conversation, but I wanted to check back in. Do you know the proper way to add a service account to firecloud? Thanks!

  • birgerbirger Member, Broadie, CGA-mod ✭✭✭

    @abaumann can show you how to register a service account with FireCloud.

  • RobinKRobinK Member

    Thanks @abaumann . I will try this. Is there a public version of the docker container or the container it builds from google/cloud-sdk:170.0.1-slim? I am getting an unauthorized error when trying to pull or build.

  • abaumannabaumann Broad DSDEMember, Broadie ✭✭✭
  • RobinKRobinK Member
    edited September 2018

    Perfect! Got it to work. Registering the service account along with using export GOOGLE_APPLICATION_CREDENTIALS= <json> to point to the key for the service account got it all to work.
    Thanks for your help!

  • RobinKRobinK Member

    Thanks for your help @abaumann and @birger . One more question. When I try to put a new method in firecloud using update_repository_method from the firecloud python api, I get the response:

     u'message': u'Authorization exception for user [email protected] attempting to exercise permission Create on namespace pici-firecloud', u'code': 403
    

    But I am able to update existing methods with no problems. Is there a permission that the service account is missing in order to be able to write new methods to the project namespace? It is currently an owner in the billing account.

  • abaumannabaumann Broad DSDEMember, Broadie ✭✭✭

    The methods repository has separate permissions from projects and workspaces. Whoever created a method in a namespace (in this case pici-firecloud) first is the owner, and they can add other people to allow them to add methods to that namespace - and in this case you'd need to add that service account

  • RobinKRobinK Member

    Where do you add permissions to the method repository for a namespace?

  • SChaluvadiSChaluvadi Member, Broadie, Moderator admin

    Hey @RobinK - we will be closing this ticket as we have not heard from you but please feel free to follow up with any questions you may have in the future and we would be more than happy to take another look!

Sign In or Register to comment.