Access control for running BigQuery Variants vcf_to_bq as a cromwell task

As anybody gotten Google's BigQuery Variants vcf_to_bq command to run as a cromwell task?

I can run vcf_to_bq directly using "gcloud alpha genomics pipelines run" with the --service-account-scopes option. When I try to run vcf_to_bq in a cromwell task using the GCP backend, the task fails with this error:

error=insufficient_scope, scope="https://www.googleapis.com/auth/bigquery.readonly"'}>, content <{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "insufficientPermissions",
    "message": "Insufficient Permission"
   }
  ],
  "code": 403,
  "message": "Insufficient Permission"
 }
}

I've added the "BigQuery Admin" role to the Compute Engine default service account (although I would hope there is a way to use a role without so much permission).

I'm guessing that genomics pipeline is using "gcloud alpha compute instances set-scopes" (https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes) to modify the compute engine instances running the Dataflow workers started to run vcf_to_bq. But I don't see how you can specify a scope in the cromwell config.

Answers

Sign In or Register to comment.