I'm developing a Node.js application and trying to create a queue using Google Cloud Tasks, but I encounter the following error:

Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.queues.create" for the resource "projects/XXXXXX/locations/europe-central2" (or the resource may not exist).

Steps Taken:

1- Service Account Creation: I created a service account and assigned it the "Cloud Tasks Queue Admin" role (roles/cloudtasks.queueAdmin), which includes the cloudtasks.queues.create permission.

2- Client Configuration: I configured the Cloud Tasks client in my code as follows:

const { CloudTasksClient } = require('@google-cloud/tasks');
const clientCloudTasks = new CloudTasksClient({
  keyFilename: "./serviceAccountKey.json",
});

3- Queue Creation Attempt: I attempted to create a queue with the following code:

const queuePath = clientCloudTasks.queuePath('my-project-id', 'europe-central2', 'my-queue-id');

const queue = {
  name: queuePath,
  rateLimits: {
    maxDispatchesPerSecond: 1,
  },
};

const request = {
  parent: clientCloudTasks.locationPath('my-project-id', 'europe-central2'),
  queue: queue,
};

await clientCloudTasks.createQueue(request);

Additional Details:

• I verified that the "Cloud Tasks Queue Admin" role includes the cloudtasks.queues.create permission.
• The service account is correctly configured, and the JSON key file is properly referenced in the code.
• The specified project and location exist and are correctly referenced.

Question:

Why am I receiving this permission error despite the configurations made?

Thank you in advance for your assistance!

I'm developing a Node.js application and trying to create a queue using Google Cloud Tasks, but I encounter the following error:

Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.queues.create" for the resource "projects/XXXXXX/locations/europe-central2" (or the resource may not exist).

Steps Taken:

1- Service Account Creation: I created a service account and assigned it the "Cloud Tasks Queue Admin" role (roles/cloudtasks.queueAdmin), which includes the cloudtasks.queues.create permission.

2- Client Configuration: I configured the Cloud Tasks client in my code as follows:

const { CloudTasksClient } = require('@google-cloud/tasks');
const clientCloudTasks = new CloudTasksClient({
  keyFilename: "./serviceAccountKey.json",
});

3- Queue Creation Attempt: I attempted to create a queue with the following code:

const queuePath = clientCloudTasks.queuePath('my-project-id', 'europe-central2', 'my-queue-id');

const queue = {
  name: queuePath,
  rateLimits: {
    maxDispatchesPerSecond: 1,
  },
};

const request = {
  parent: clientCloudTasks.locationPath('my-project-id', 'europe-central2'),
  queue: queue,
};

await clientCloudTasks.createQueue(request);

Additional Details:

• I verified that the "Cloud Tasks Queue Admin" role includes the cloudtasks.queues.create permission.
• The service account is correctly configured, and the JSON key file is properly referenced in the code.
• The specified project and location exist and are correctly referenced.

Question:

Why am I receiving this permission error despite the configurations made?

Thank you in advance for your assistance!

• google-cloud-platform
• google-cloud-functions
• google-iam
• google-cloud-tasks

• The evidence suggests that you're not following the steps correctly that you describe but, since your question omits proof of your statements, it's difficult to help. You describe (1) creating a Service Account; (2) binding it to roles/cloudtasks.queueAdmin; (3) referencing a key from the Service Account in your code; (4) running the code (where?) but, at least one of these steps is incorrect. Please update your question with more details that prove your assertions so that we may help. – DazWilkin Commented Feb 5 at 17:05
• It would also be better for you to export GOOGLE_APPLICATION_CREDENTIALS=${PWD}/serviceAccountKey.json and then const clientCloudTasks = new CloudTasksClient(); – DazWilkin Commented Feb 5 at 19:01
• "@DazWilkin Thank you for your feedback. Verified: 1-Service Account: Checked with: const keyFile = JSON.parse(fs.readFileSync("./serviceAccountKey.json")); console.log(keyFile.client_email); Result: [email protected]. 2-Roles: Has roles/cloudtasks.queueAdmin with cloudtasks.queues.create. 3-Issue: PERMISSION_DENIED: The principal lacks "cloudtasks.queues.create" for "projects/XXXXXX/locations/europe-central2". Question: Could there be additional configurations I’m missing?" – rafik Commented Feb 6 at 10:02

1 Answer 1

Before we focus on the permission error, let’s go back to the basics and make sure you performed these checks:

1. Enable billing for your project

2. Enable the Cloud Tasks API

For the permission error, here are the things you can try:

• Inspect the resources; make sure to use the project ID (alphanumeric) not project number (numerical value)

• If Cloud Tasks API was enabled prior to March 19, 2019

  • you need to manually add role “Cloud Tasks Service Agent”

  • verify if you have the Google-managed Cloud Task service account service-[project-number]@gcp-sa-cloudtasks.iam.gserviceaccount.com within the project

• grant access to your service account with the following command (if applicable or have equivalent steps for your environment):

gcloud projects add-iam-policy-binding {project} \ 
--member=serviceAccount:{service-account-email} \ 
--role=roles/cloudtasks.queueAdmin 

(or roles/cloudtasks.admin -- not advisable but for testing purposes to see if there's any difference. Although @DazWilkin repro suggests that queueAdmin is working fine)

• Delete roles and add it again