We've moved!
For WDL questions, see the WDL specification and WDL docs.
For Cromwell questions, see the Cromwell docs and please post any issues on Github.

Access control for running BigQuery Variants vcf_to_bq as a cromwell task

As anybody gotten Google's BigQuery Variants vcf_to_bq command to run as a cromwell task?

I can run vcf_to_bq directly using "gcloud alpha genomics pipelines run" with the --service-account-scopes option. When I try to run vcf_to_bq in a cromwell task using the GCP backend, the task fails with this error:

error=insufficient_scope, scope="https://www.googleapis.com/auth/bigquery.readonly"'}>, content <{
 "error": {
  "errors": [
    "domain": "global",
    "reason": "insufficientPermissions",
    "message": "Insufficient Permission"
  "code": 403,
  "message": "Insufficient Permission"

I've added the "BigQuery Admin" role to the Compute Engine default service account (although I would hope there is a way to use a role without so much permission).

I'm guessing that genomics pipeline is using "gcloud alpha compute instances set-scopes" (https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes) to modify the compute engine instances running the Dataflow workers started to run vcf_to_bq. But I don't see how you can specify a scope in the cromwell config.


Sign In or Register to comment.