Permission Denied issue - can't run workflow

Post author
Kornyok Kamdee

HiJonn Smith and the development team 

I can't run any workflows on terra (my workspaces name Workspacesfirecloud-2023/KK Funcotator). I'm getting the following error message in every jobs:

403 Forbidden POST https://cloudkms.googleapis.com/v1/projects/broad-dsde-prod/locations/global/keyRings/sam-prod-keyring/cryptoKeys/dockerhub-key:encrypt { "code": 403, "errors": [ { "domain": "global", "message": "Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/broad-dsde-prod/locations/global/keyRings/sam-prod-keyring/cryptoKeys/dockerhub-key' (or it may not exist).", "reason": "forbidden" } ], "message": "Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/broad-dsde-prod/locations/global/keyRings/sam-prod-keyring/cryptoKeys/dockerhub-key' (or it may not exist).", "status": "PERMISSION_DENIED" }

Google Project ID terra-afefd4a9
Bucket Name fc-secure-80b4350a-1976-4cc2-88cc-c9a024c9738e
workflow version 4.2.0 
workflow id : 610c00bc-121d-464b-94b5-eb8bdd828e58
Submission ID b4ff7f6d-47f5-4268-ab77-212b8f37d0a6

OWNERS

 
Thanks!
Kornyok Kamdee

Comments

15 comments

  • Comment author
    Samantha (she/her)

    Hi Kornyok Kamdee,

     

    Thank you for writing in about this issue. Can you share the workspace where you are seeing this issue with Terra Support by clicking the Share button in your workspace? The Share option is in the three-dots menu at the top-right.

    1. Toggle the "Share with support" button to "Yes"
    2. Click Save

    If the workspace is protected by an authorization domain, please also add my account (svelasqu@broadinstitute.org) to the group.

     

    Kind regards,

    Samantha

    0
  • Comment author
    Kornyok Kamdee

    Dear, Samantha Samantha-she-her

    I have already shared our workspace according to your suggestion.

    Should you need any further information, please do not hesitate to tell me. 

    Keep me informed of any updates. Thanks

    Regards,

    Kornyok Kamdee

     

    0
  • Comment author
    Samantha (she/her)

    Hi Kornyok Kamdee,

    I am still unable to access the workspace. It looks like it's protected by an authorization domain called 'genomics-thailand-breast-cancer' that I have not been added to yet. If you are able to, can you please add my account (svelasqu@broadinstitute.org) to that group?

    In the meantime, I'd like to ask some more follow up questions to try and troubleshoot. This error usually happens when a user's Terra account hasn't been set up correctly in the backend. Are you a new Terra user? If so, when did you register for Terra? As of today, your account seems to have all the appropriate permissions so this may have just been a delay in those permissions being granted.

    Have you tried running any workflows since you wrote in about this error? If not, can you try resubmitting your workflow and see if you still get the same error?

     

    Best,
    Samantha

    0
  • Comment author
    Bhoom Suktitipat

    We have just added you to the resource group. 

    0
  • Comment author
    Aloysius Domingo

    Hi Samantha,

    Not to hijack the thread, but I am getting the exact same error when I run any workflow, whether on example (public) data or using my own. I shared workspace with the Terra support team. Please let us know of any updates regarding this issue.

    Thanks,

    Aloysius

    0
  • Comment author
    Samantha (she/her)

    Hi Kornyok Kamdee,

    Sorry for the delayed response. The PERMISSION_DENIED error usually means that your account needs to be added to the All_Users Google group. I took a look at that group and confirmed that your account is indeed added. And I can see that you have been able to run workflows without getting that error as of March 26th, so there may have just been a delay in setting up your permissions. The errors you are receiving now are most likely due to your input files or workflow settings. Please see the following article for more information on how to troubleshoot those common errors: https://support.terra.bio/hc/en-us/articles/360027920592-How-to-troubleshoot-failed-workflows.

    Please let me know if you have any other questions!

    Best,

    Samantha

    0
  • Comment author
    Samantha (she/her)

    Hi Aloysius Domingo,

    Can you share a link to your workspace and provide the relevant submission/workflow IDs so we can take a closer look? Also, what is your Terra account email?

     

    Best,

    Samantha

    0
  • Comment author
    Aloysius Domingo
    • Edited

    Hi thanks for getting back! 

    Google Project ID: terra-48fdf09a
    Workflow ID: 3df34303-9a81-432a-a172-d9f5c993052b
    Submission ID: 52b98660-ca56-4418-8b02-9cf277477008

    I also shared the workspace to you.

    Terra account email is adomingo1@mgh.harvard.edu

    Thank you!

    0
  • Comment author
    Samantha (she/her)

    Hi Aloysius Domingo,

    I confirmed your account was not in the appropriate Google group. I've gone ahead and added it so you shouldn't see the error anymore when running workflows. IAM changes can take a few minutes to propagate through Google, so I would suggest waiting 10-15 minutes until you try submitting your workflow again.

    Best,

    Samantha

    0
  • Comment author
    Aloysius Domingo

    Thanks Samantha-she-her, I am now able to run workflows.

    0
  • Comment author
    Jérémie Kalfon
    • Edited

    Hello! We have the same error on our end.

    It is only one of our lab members that has this issue. Everyone else can use it fine. The email is xliu@whitelabgx.com.can you help us on that? 


    All the best,

     

    0
  • Comment author
    Xi Liu

    Hello,

    This is my email address. Thank you in advance for your help.

    Best Regards,

    0
  • Comment author
    Samantha (she/her)

    Hi Xi and Jérémie,

    I confirmed Xi's account was not in the Google group and went ahead and added it. Please allow 10-15 minutes for the changes to propagate through GCP before you submit another workflow.

    Best,

    Samantha

    0
  • Comment author
    Jérémie Kalfon

    Thanks a lot!

     

    0
  • Comment author
    Aloysius Domingo

    Hi Samantha-she-her,

    Sorry to come back to this thread. Could you add my colleague ryadav1@mgh.harvard.edu to the All_Users google group as well?

    Thank you!

    0

Please sign in to leave a comment.