Spanner Emulator - Caller is missing IAM permission spanner.sessions.create on resource

Question

While trying to execute a query on local emulator using Java client API, I am getting the following error -

com.google.cloud.spanner.SpannerException: PERMISSION_DENIED: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Caller is missing IAM permission spanner.sessions.create on resource projects/test-project/instances/test-instance/databases/testdatabase.

How can I provide this user the capability to create a session on local spanner emulator?

Answer 1

The Cloud Spanner emulator does not implement any IAM and requires you to connect to it without any credentials, so this error seems at first sight to indicate that either:

1. You are not connected to the emulator after all, and this error is coming from a the real Cloud Spanner.
2. You have connected to the emulator with credentials.

Would you mind sharing the part of your code that is creating the connection?

Answer 2

First of all make sure that you've followed the following steps to configure your local environment appropriately. Basically make sure that all the Cloud Spanner related APIs are enabled and run the following command:

gcloud auth application-default login

By making sure that the account used for authentication has a role with enough permissions as described on the Access Control documentation. The Cloud Spanner Database Admin should allow you to issue your query, but you can create a custom role if you think that the permissions granted by the mentioned predefined role are too much.

The official documentation advises to create a separate gcloud configuration and making sure that you set the SPANNER_EMULATOR_HOST environment variable is set in the following way (check the correct info here:

export SPANNER_EMULATOR_HOST=localhost:9010