Hello Christopher,
I can understand how inconvenient it can be to run into permission issues when trying to set up an ETL job. From my understanding, you have a service account being used to launch the import task and it already has all the Cloud SQL roles. Once the import task is launched, you have given the SQL instance's service account permission to access the GCS bucket.
From the Cloud SQL documentation, it explains: "To import data from Cloud Storage, the instance's service account needs to have the Bucket Reader ACL permission set in the project." In other words, the service account needs to have the 'roles/storage.legacyBucketReader' role which is equivalent to the 'Bucket Reader' ACL permission. Are you able to confirm if you have already granted that role to your Cloud SQL instance's service account?
Additionally, if you prefer not to give the import task service account the role of project-wide editor, it was previously suggested to try granting it the "roles/cloudsql.client" role instead, have you already given that a try?
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/e5fc3185-5bd4-4f1b-a369-8eb8eeaa20fd%40googlegroups.com.
No comments:
Post a Comment