Access control for running BigQuery Variants vcf_to_bq as a cromwell task

As anybody gotten Google's BigQuery Variants vcf_to_bq command to run as a cromwell task?

I can run vcf_to_bq directly using "gcloud alpha genomics pipelines run" with the --service-account-scopes option. When I try to run vcf_to_bq in a cromwell task using the GCP backend, the task fails with this error:

error=insufficient_scope, scope=""'}>, content <{
 "error": {
  "errors": [
    "domain": "global",
    "reason": "insufficientPermissions",
    "message": "Insufficient Permission"
  "code": 403,
  "message": "Insufficient Permission"

I've added the "BigQuery Admin" role to the Compute Engine default service account (although I would hope there is a way to use a role without so much permission).

I'm guessing that genomics pipeline is using "gcloud alpha compute instances set-scopes" ( to modify the compute engine instances running the Dataflow workers started to run vcf_to_bq. But I don't see how you can specify a scope in the cromwell config.


Sign In or Register to comment.