liferoad commented on issue #31421: URL: https://github.com/apache/beam/issues/31421#issuecomment-2143444666
> The failed task is ':runners:google-cloud-dataflow-java:examples:preCommitLegacyWorkerImpersonate'. It uses a dedicate "impersonate" service account to interact with GCP. Local run on your own credential is fine > > The actual error message: > > ``` > Caused by: com.google.api.client.http.HttpResponseException: 403 Forbidden > POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken > { > "error": { > "code": 403, > "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).", > "errors": [ > { > "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).", > "domain": "global", > "reason": "forbidden" > } > ], > "status": "PERMISSION_DENIED", > "details": [ > { > "@type": "type.googleapis.com/google.rpc.ErrorInfo", > "reason": "IAM_PERMISSION_DENIED", > "domain": "iam.googleapis.com", > "metadata": { > "permission": "iam.serviceAccounts.getAccessToken" > } > } > ] > } > } > ``` > > Either permission of the service account "[[email protected]](mailto:[email protected])" is changed unexpectedly, or there are some recent breaking change on GCP side The local run indeed uses allows-impersonation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
