Need Help?

Search our documentation and community forum

Terra is a cloud-native platform for biomedical researchers to access data, run analysis tools, and collaborate.
Terra powers important scientific projects like FireCloud, AnVIL, and BioData Catalyst. Learn more.

pet account permissions for shared workspace

Comments

5 comments

  • Avatar
    Jason

    Hi Mark,

    Thanks for writing in. Can you share the workspace where you are seeing this issue with GROUP_FireCloud-Support@firecloud.org by clicking the Share button in your workspace? The Share option is in the three-dots menu at the top-right.

    1. Add GROUP_FireCloud-Support@firecloud.org to the User email field and press enter on your keyboard.
    2. Click Save.

    Let me know the relevant submission ID and I'll be happy to take a closer look!

    Kind regards,

    Jason

    0
    Comment actions Permalink
  • Avatar
    Alba Sanchis-Juan

    Hi Jason,

    I have just shared the workspace with GROUP_FireCloud-Support@firecloud.org.

    The submission id that failed due to pet account permissions is a80f9aac-c1b7-4650-9a63-1be184a1eedc.

    Thank you,

    Alba

    0
    Comment actions Permalink
  • Avatar
    Jason

    Hi Alba,

    Thank you for that. Can either of you confirm whether asanchis@broadinstitute.org is a member of the covid-wgs-analysis billing project? I see the error is associated with the project rather than the bucket, which would manifest in an error like

    AccessDeniedException: 403 pet-109359867313582786694@covid-wgs-analysis.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.

    If asanchis@broadinstitute.org is not a member of the covid-wgs-analysis project, can you try adding asanchis@broadinstitute.org to the project and re-running the failed workflow? I recommend running with call caching enabled to save on time and costs.

    If you have any questions, please let us know.

    Kind regards,

    Jason

    0
    Comment actions Permalink
  • Avatar
    samb

    Hey Jason 

    If the user asanchis@broadinstitute.org had read/write access on a Terra Workspace, why wouldn't that work? Users in this role have the ability to run WDLs, etc.

    Why does it need to be at the project level?

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Jason

    Hey samb,

    You're correct that it should work since asanchis@broadinstitute.org is an Owner on the workspace! But I'd like to see if something in that permission setting isn't working as expected. There was a previously known issue where Owners were not being given the right permissions to use the workspace billing project even though Writers did. If you don't want to add asanchis@broadinstitute.org to the BP we can do a test having asanchis@broadinstitute.org set as a Writer instead of an Owner.

    Let me know if either option works for you for a test.

    Kind regards,

    Jason

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk