17 may

Google Cloud BigQuery Admin service account gets "does not have bigquery.jobs.create permission"

I'm new to Google Cloud & BigQuery. I reviewed the dozen other questions that seem to be related and have not seen what I'm missing from those answers. I'm trying to query a public dataset.

The error:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Access Denied: Project airy-advantage-235802: The user kafka-learning@airy-advantage-235802.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project airy-advantage-235802.",
    "reason" : "accessDenied"
  } ],
  "message" : "Access Denied: Project airy-advantage-235802: The user kafka-learning@airy-advantage-235802.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project airy-advantage-235802."
    at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:150)
    at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
    at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:401)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1132)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:499)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:432)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:549)
    at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.create(HttpBigQueryRpc.java:183)

What I've done:

  1. Created new Google Cloud account
  2. Created new project, which Google assigned the project ID airy-advantage-235802, project name is Kafka Learning.
  3. Created a service account kafka-learning@airy-advantage-235802.iam.gserviceaccount.com
  4. Granted that user the BigQuery Admin role within the project (I originally tried BigQuery User and BigQuery Data Viewer)
  5. I saved the JSON credentials file to a local folder
  6. I set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path to the JSON file
  7. I have a tiny Java project to query a public dataset
  8. Received above error
  9. Verified billing is enabled (as far as I can tell, see below)

Is there a step I missed?

Google Cloud Project setup

Service Account Setup

enter image description here

var bigquery = BigQueryOptions.getDefaultInstance().getService();
var query = "SELECT * FROM `bigquery-public-data.google_analytics_sample.ga_sessions_20160801` LIMIT 10";
var queryConfig = QueryJobConfiguration.newBuilder(query).build();
var table = bigquery.query(queryConfig);

I've also tried explicitly setting the project id (which is also in the json file) by changing the builder to this:

var bigquery = BigQueryOptions.newBuilder().setProjectId("airy-advantage-235802").build().getService();



This usually happens when you delete and create a service account with the same name as the "new" service account may have old roles binding to it. Thus, you could:

  • Use a new service account
  • Explicitly removing any bindings granting that role to the service account
  • Re-granting those roles to the "new" service account.

For more information, you could check this link

Hope it helps.


I get this problem too. Reading the docs you will solve it.

It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior.

When you delete a service account, its role bindings are not immediately deleted. If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist; however, they will not apply to the new service account even though both accounts have the same email address. This behavior occurs because service accounts are given a unique ID within Cloud IAM at creation. Internally, all role bindings are granted using these IDs, not the service account's email address. Therefore, any role bindings that existed for a deleted service account do not apply to a new service account that uses the same email address.

To avoid confusion, we suggest using unique service account names. If this is not possible, you can grant a role to the new service account by:

Explicitly removing all bindings granting that role to the old service account. Re-granting those roles to the new service account. You must remove the role bindings first before re-adding them. Simply granting the role again will silently fail by granting the role to the old, deleted service account. enter link description here


© 2017 website by Rubit Corporation