-1

I'm developing a Node.js application and trying to create a queue using Google Cloud Tasks, but I encounter the following error:

Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.queues.create" for the resource "projects/XXXXXX/locations/europe-central2" (or the resource may not exist).

Steps Taken:

1- Service Account Creation: I created a service account and assigned it the "Cloud Tasks Queue Admin" role (roles/cloudtasks.queueAdmin), which includes the cloudtasks.queues.create permission.

2- Client Configuration: I configured the Cloud Tasks client in my code as follows:

const { CloudTasksClient } = require('@google-cloud/tasks');
const clientCloudTasks = new CloudTasksClient({
  keyFilename: "./serviceAccountKey.json",
});

3- Queue Creation Attempt: I attempted to create a queue with the following code:

const queuePath = clientCloudTasks.queuePath('my-project-id', 'europe-central2', 'my-queue-id');

const queue = {
  name: queuePath,
  rateLimits: {
    maxDispatchesPerSecond: 1,
  },
};

const request = {
  parent: clientCloudTasks.locationPath('my-project-id', 'europe-central2'),
  queue: queue,
};

await clientCloudTasks.createQueue(request);

Additional Details:

  • I verified that the "Cloud Tasks Queue Admin" role includes the cloudtasks.queues.create permission.
  • The service account is correctly configured, and the JSON key file is properly referenced in the code.
  • The specified project and location exist and are correctly referenced.

Question:

Why am I receiving this permission error despite the configurations made?

Improve this question
3
  • The evidence suggests that you're not following the steps correctly that you describe but, since your question omits proof of your statements, it's difficult to help. You describe (1) creating a Service Account; (2) binding it to roles/cloudtasks.queueAdmin; (3) referencing a key from the Service Account in your code; (4) running the code (where?) but, at least one of these steps is incorrect. Please update your question with more details that prove your assertions so that we may help.
    – DazWilkin
    Commented Feb 5 at 17:05
  • It would also be better for you to export GOOGLE_APPLICATION_CREDENTIALS=${PWD}/serviceAccountKey.json and then const clientCloudTasks = new CloudTasksClient();
    – DazWilkin
    Commented Feb 5 at 19:01
  • "@DazWilkin Thank you for your feedback. Verified: 1-Service Account: Checked with: const keyFile = JSON.parse(fs.readFileSync("./serviceAccountKey.json")); console.log(keyFile.client_email); Result: [email protected]. 2-Roles: Has roles/cloudtasks.queueAdmin with cloudtasks.queues.create. 3-Issue: PERMISSION_DENIED: The principal lacks "cloudtasks.queues.create" for "projects/XXXXXX/locations/europe-central2". Question: Could there be additional configurations I’m missing?"
    – rafik
    Commented Feb 6 at 10:02

1 Answer 1

Reset to default
1

Before we focus on the permission error, let’s go back to the basics and make sure you performed these checks:

  1. Enable billing for your project

  2. Enable the Cloud Tasks API

For the permission error, here are the things you can try:

  • Inspect the resources; make sure to use the project ID (alphanumeric) not project number (numerical value)

  • If Cloud Tasks API was enabled prior to March 19, 2019

    • you need to manually add roleCloud Tasks Service Agent

    • verify if you have the Google-managed Cloud Task service account service-[project-number]@gcp-sa-cloudtasks.iam.gserviceaccount.com within the project

  • grant access to your service account with the following command (if applicable or have equivalent steps for your environment):

gcloud projects add-iam-policy-binding {project} \ 
--member=serviceAccount:{service-account-email} \ 
--role=roles/cloudtasks.queueAdmin 

(or roles/cloudtasks.admin -- not advisable but for testing purposes to see if there's any difference. Although @DazWilkin repro suggests that queueAdmin is working fine)
  • Delete roles and add it again
Improve this answer
1
  • Thank you for your answer. You were right: the problem was that I was using the project number (numeric value) instead of the project ID (alphanumeric). Now that I’ve corrected this, everything works perfectly!
    – rafik
    Commented Feb 7 at 14:06

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.