We’re moving the GATK website, docs and forum to a new platform. Read the full story and breakdown of key changes on this blog.
Fire-dollar-genome workflow - "does not have storage.objects.get access to" error

Hi Team,
I am trying to run the Five Dollar Genome Workflow on my WGS data which is in a bucket say gs://mybucket/s1.bam. The bucket and bam file is under my google account. The same google account is used for FireCloud.
I got the below error:
message: Failed to evaluate 'germline_single_sample_workflow.unmapped_bam_size' (reason 1 of 1): Evaluating size(unmapped_bam, "GB") failed: [email protected]viceaccount.com does not have storage.objects.get access to gs://mybucket/s1.bam.
Could you please advise how to solve this issue? Thank you very much
Best Answers
-
Tiffany_at_Broad Cambridge, MA admin
Hi @Bingley - did FireCloud create the original bucket you were trying to access the files from? If you use data that is stored outside of FireCloud workspace buckets and is not fully public (world-readable), you need to modify the access permissions of that data by sharing it with your proxy group located on your profile page under User info. You can read more about this here.
-
Tiffany_at_Broad Cambridge, MA admin
Correct. The proxy group available on your profile page is uniquely yours so by giving that proxy group permission to your bucket, only you can access it.
Groups you create in FireCloud also use proxy groups, so if you share the bucket with that proxy group then access will be granted to whoever is listed in the group.
Answers
Hello @Bingley. I see that you posted another thread here, where you encountered another issue with this same workspace, but further along in the process. Am I correct in inferring that you were able to get past this thread's error message?
If not, please share your workspace in FireCloud with
[email protected]
. Then, post here the name of the workspace as well as the submission ID for where you encountered this error.Hey @KateN,
Thank you for reply. I got around by uploading data into the bucket which was created by the workspace for analysis, instead of keeping them in their original bucket. I asked a question earlier here , and I thought I could just use gs://bucket/file to access the data in their original bucket from any workspace.
Now, the question is, do I have to make a copy of the data into a new bucket every time I need to access them in a new workspace?
Thank you.
Hi @Bingley You shouldn't have to make copies of data everytime you create a new workspace. You should be able to access data in Google buckets across workspaces if your FireCloud account has access. All permissions on the workspace are synced with the Google bucket, so if you add a person as a Reader to the workspace, this person can read the Google bucket too.
What permissions do you have in the original workspace with the original bucket?
hi @Tiffany_at_Broad, I am the owner of the original bucket and I have full control of the google account which I used to login to FireCloud.
Thanks @Bingley for us to investigate this, can you share the original bucket and the workspace where you received the error with
[email protected]
Let us know the name of the workspace plus the submission id where you saw this error. Then we can debug further. Sorry about the trouble you've run into, but glad you found a workaround in the meantime.
Hi @Tiffany_at_Broad,
Please find workspace fccredits-silver-pumpkin-7172/five-dollar-genome-analysis-pipeline_copy
Submission 0594fade-8897-4557-b247-385cf5d791e5
Now I only kept one file which was the error pointed to for you to have a look. Thank you.
Thanks, @Bingley - we started looking into this and will follow up with more information tomorrow.
Hi @Bingley - did FireCloud create the original bucket you were trying to access the files from? If you use data that is stored outside of FireCloud workspace buckets and is not fully public (world-readable), you need to modify the access permissions of that data by sharing it with your proxy group located on your profile page under User info. You can read more about this here.
Thank you, @Tiffany_at_Broad. The bucket was not created by FireCloud, but through my original Google Cloud account.
So if I want my FireCloud workspace to access that bucket, I have to add FireCloud proxy group in the access permission of the data I am trying to access from FireCloud. By doing this, do other users with the same proxy group can access my bucket?
Thank you.
Correct. The proxy group available on your profile page is uniquely yours so by giving that proxy group permission to your bucket, only you can access it.
Groups you create in FireCloud also use proxy groups, so if you share the bucket with that proxy group then access will be granted to whoever is listed in the group.
Excellent. Thank you, @Tiffany_at_Broad. Very helpful.