IAM Seeing Things!
What is a common oversight when granting Airflow GCP service account permissions to BigQuery, or what specific permission might be missing for query execution?
A user reports their new Airflow DAG task fails with Access Denied: Table rddt-data-prod:my_dataset.my_table: User does not have permission to query table... but they swear the service account airflow-worker@my-project.iam.gserviceaccount.com has roles/bigquery.dataViewer on the dataset.
What is roles/bigquery.jobUser
The Airflow scheduler pod is Running. DAGs are synced. But no DAGs are being scheduled or marked as done.
What is a broken sql_alchemy_conn - incorrect reference to secret (bad-key)
What is the name of the kubernetes role that gives yourself permissions on the dw eks cluster?
what is: cluster admin
A user asks: How can I get access to this table? I get this error:
Access Denied: Table rddt-tier0-metrics1-prod:uniques.user_daily_geo: User does not have permission to query table rddt-tier0-metrics1-prod:uniques.user_daily_geo, or perhaps it does not exist.
bq show --format=prettyjson
There is a groupByEmail entry:
sg-gcp-{group-name}
Humans should belong to a service group.
One of the Airflow webserver pods is slow to respond or intermittently fails. Why?
What is one of the webserver pods is maxing out its CPU and hitting the 100m limit. It’s being throttled by the kubelet.
A teammate tried to create an AirflowWorkload, but it remains stuck in Ready=False. After digging, they found that the underlying GCP Project Crossplane resource exists - but something’s wrong. What is it?
The CR name is: dw-michael-test
What is the spec.forProvider.projectId was modified from the correct value:
Correct: projectId: r-d0f1c99f1de076e1ae143b2b5
Modified: projectId: broken-project-id
The GCP Project ID is immutable.
The Analytics Reporting team has just created a new view: analytics-reporting-prod:finance_dashboard_views.vw_quarterly_event_summary
This view is intended to query data from the rddt-dp-data1-prod:decomposed_event_views dataset. Users in the finance-analysts@reddit.com group have been granted roles/bigquery.dataViewer on the new vw_quarterly_event_summary view.
However, when they try to query vw_quarterly_event_summary, they receive a permission denied error. Why?
What is an access entry granting a role (e.g., READER) to the view rddt-analytics-reporting-prod:finance_dashboard_views.vw_quarterly_event_summary on the rddt-dp-data1-prod:decomposed_event_views dataset?
bq show --format=prettyjson rddt-dp-data1-prod:decomposed_event_views
Tasks can't run, and the schedulers seem to be unhealthy. Why?
What is Pgbouncer is running but misconfigured (e.g., invalid credentials or port). Airflow cannot connect.
A new AirflowWorkload was created in the cluster. 15 minutes later, no GCP resources exist. Why?
What is the controller is down, so no resources are being created.