17 may

Google Cloud BigQuery Admin service account gets "does not have bigquery.jobs.create permission"

I'm new to Google Cloud & BigQuery. I reviewed the dozen other questions that seem to be related and have not seen what I'm missing from those answers. I'm trying to query a public dataset.

The error:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Access Denied: Project airy-advantage-235802: The user kafka-learning@airy-advantage-235802.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project airy-advantage-235802.",
    "reason" : "accessDenied"
  } ],
  "message" : "Access Denied: Project airy-advantage-235802: The user kafka-learning@airy-advantage-235802.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project airy-advantage-235802."
    at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:150)
    at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
    at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:401)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1132)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:499)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:432)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:549)
    at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.create(HttpBigQueryRpc.java:183)

What I've done:

  1. Created new Google Cloud account
  2. Created new project, which Google assigned the project ID airy-advantage-235802, project name is Kafka Learning.
  3. Created a service account kafka-learning@airy-advantage-235802.iam.gserviceaccount.com
  4. Granted that user the BigQuery Admin role within the project (I originally tried BigQuery User and BigQuery Data Viewer)
  5. I saved the JSON credentials file to a local folder
  6. I set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path to the JSON file
  7. I have a tiny Java project to query a public dataset
  8. Received above error
  9. Verified billing is enabled (as far as I can tell, see below)

Is there a step I missed?

Google Cloud Project setup

Service Account Setup

enter image description here

var bigquery = BigQueryOptions.getDefaultInstance().getService();
var query = "SELECT * FROM `bigquery-public-data.google_analytics_sample.ga_sessions_20160801` LIMIT 10";
var queryConfig = QueryJobConfiguration.newBuilder(query).build();
var table = bigquery.query(queryConfig);

I've also tried explicitly setting the project id (which is also in the json file) by changing the builder to this:

var bigquery = BigQueryOptions.newBuilder().setProjectId("airy-advantage-235802").build().getService();



I get this problem too. Reading the docs you will solve it.

It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior.

When you delete a service account, its role bindings are not immediately deleted. If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist; however, they will not apply to the new service account even though both accounts have the same email address. This behavior occurs because service accounts are given a unique ID within Cloud IAM at creation. Internally, all role bindings are granted using these IDs, not the service account's email address. Therefore, any role bindings that existed for a deleted service account do not apply to a new service account that uses the same email address.

To avoid confusion, we suggest using unique service account names. If this is not possible, you can grant a role to the new service account by:

Explicitly removing all bindings granting that role to the old service account. Re-granting those roles to the new service account. You must remove the role bindings first before re-adding them. Simply granting the role again will silently fail by granting the role to the old, deleted service account. enter link description here


This usually happens when you delete and create a service account with the same name as the "new" service account may have old roles binding to it. Thus, you could:

  • Use a new service account
  • Explicitly removing any bindings granting that role to the service account
  • Re-granting those roles to the "new" service account.

For more information, you could check this link

Hope it helps.




© 2017 website by Rubit Corporation