How to fix 'User does not have permission to query table XYZ.' in BigQuery?

Question

I want to do a BQ query via the bq command.

Here is my command:

bq query    --application_default_credential_file $GOOGLE_APPLICATION_CREDENTIALS  
  --nouse_legacy_sql 'SELECT * FROM `my_project.data.Document` limit 100' 

GOOGLE_APPLICATION_CREDENTIALS points to a credential file. I can use this variable to enable gcloud command to access my project's resources.

The query runs OK if I run it directly in bigquery query UI. I log in as myself.

However bq failed with this error Access Denied: Table my_project:data.Document: User does not have permission to query table my_project:data.Document.

I have granted these roles to the id, a service account, contained in the credential file:

Did I miss any role/permission?

Answer 1

I guess you might be aware of the fact that bq executor's authorization flags have been deprecated and no longer used, hence flag --application_default_credential_file is more like redundant in your initial bq query command. Generally, bq authorization parameters sometimes interfered with the gcloud credential settings causing unpredictable results. According to the official guidelines you should follow regular SDK instructions to perform authorization setup:

The bq authorization flags are deprecated. To configure authorization for the bq command-line tool, see Authorizing Cloud SDK tools.

Default @appspot.gserviceaccount.com App Engine service account has granted primitive Editor role, admitting that it has access to all resources, additional roles/bigquery.dataViewer and roles/bigquery.user permissions are quite needless here.