Documentation

While configuring your Google BigQuery connection, you may encounter several issues. Understanding these common errors can help streamline the setup process and facilitate quick resolutions.

Wrong permissions

Error message

Solution

You can follow our step-by-step guide below to make sure that your Service account has sufficient permissions and is created correctly.

‍Step 1. Check if the correct principal for the project is specified.

Step 2. To create a new Service account, you need to access the corresponding section in the Google Cloud Console using the left navigation panel:

Step 3. There would be an option to create a new Service account:

Note: Please, do not use the ```improvado-gcs-loader``` name since it would be confusing. We use this account in our internal green-post project.

‍Step 4. Assign necessary permissions to the created service account in the IAM section. You can find a list of required permissions here.

Step 5. Once the service account is created, the new JSON key will be automatically generated.

Note: If you need to reissue the key, it could be done on the same screen using the three dots menu on the newly created service account:

Wrong input data

• Wrong Dataset Name
• Wrong Project ID
• Wrong Private key
• Wrong format of GBQ credentials

Error messages:

General solution

Verify Data and Configuration:

• Wrong Dataset Name: Ensure the dataset name, like 'gbq-sender-test-project:asdf', exists in your Google BigQuery setup.
• Wrong Project ID: Check if the project ID, such as 'wrong-project-id', is correctly specified and the project is active in Google Cloud Platform.
• Wrong Private Key (Type 1 and 2): Review your JSON credentials file for any mistakes. Ensure that the private key is correctly formatted and includes all necessary details. Look for errors like a missing key or incorrect padding.
• Update Configuration and Data Entries: Correct any inaccuracies in dataset names, project IDs, and private key details.

Refer to the Setup Guide Documentation.

Service account errors

• Wrong bucket name
• The auth key has been deleted
• The Account has been disabled or deleted

Error messages:

General solution

• Verify and Update Service Account Details: Double-check all service account details for accuracy, including bucket names and email addresses.
• Check Account and Key Status: Ensure the service account and its keys are active and have not been deleted or disabled.

WIF authentication errors

• Wrong service account email  
• Wrong AWS Provider ID
• Wrong Workload Pool ID
• Wrong Project Number
• Wrong Project ID

Error messages:

General solution

• Verify Account Details: Double-check the email address, AWS Provider ID, Workload Pool ID, Project Number, and Project ID provided in your configuration. Ensure they are current and accurately entered.
• Check Account Status: Confirm that none of the referenced accounts or IDs have been deleted or disabled in your Google Cloud Project or AWS Identity Provider settings.
• Update Configuration: If any discrepancies are found, update the relevant fields with the correct information.

Learn more in our setup guide.

Attribute mapping setup error

Error message:

Solution

Configure Attribute Condition:

• Navigate to the Identity and Access Management (IAM) section in your Google Cloud Console.
• Locate the settings for your workload identity federation setup.
• In the attribute mapping configuration, set up a condition that restricts access to the workload pool specifically to the role named "workload_identity_federation."
• Ensure that this condition is properly applied to prevent unauthorized access and to align with your organization's security policies.

Validate Configuration:

• After setting the condition, validate your configuration to ensure that it correctly restricts access as intended.
• Test the setup by attempting to access the workload pool with different roles to confirm that only the specified role has access.

Other cases related to attribute conditions  

Error message:

Solution

Review and Correct Attribute Conditions:

• Access the Google Cloud Console and navigate to the IAM & Admin section.
• Go to the Workload Identity Federation settings and examine the attribute conditions for your workload pool provider.
• Ensure that the conditions are correctly configured to accept the credentials being used. This may involve verifying that the conditions are not too restrictive or incorrectly set up.

Validate Credentials:

• Confirm that the credentials you are using match the requirements set by the attribute conditions. This includes checking the format, values, and types of the provided credentials.

Update Workload Pool Provider Settings:

• If the credentials are correct but still being rejected, you may need to update the settings of your workload pool provider to align with the credentials.
• This could involve adjusting the criteria or rules within the attribute conditions to ensure compatibility with the credentials being used.

‍