Best practices for setting up GCP billing for Hail for the first time

Yuan_Lian · March 15, 2024, 6:17pm

Can you please clarify what is best practice for a new user using Hail with GCP for the first time, how to get billing set up so that we have the ability to use dataproc and requester pays buckets?

I am a new Broadie and my group is using Hail for the first time. We just set up a GCP billing account MYBILLING and created a project MYPROJECTNAME. I have confirmed that I am logged in with gcloud auth list and that I have the following permissions with gcloud projects get-iam-policy MYPROJECTNAME:

roles/dataproc.admin
roles/dataproc.worker
roles/storage.admin

And yet when I try to run Hail, for instance with hailctl dataproc start cluster-1 --packages gnomad, I get this error:

ERROR: (gcloud.projects.get-iam-policy) User [XXX] does not have permission to access projects instance [XXX:getIamPolicy] (or it may not exist): The caller does not have permission

I have already consulted this: Using Hail on the Google Cloud Platform but it says it is “old and no longer works”. Meanwhiel the current “hail on the cloud” documentation: Hail | Hail on the Cloud does not specify how to grant the necessary permissions so that one can run the commands indicated.

ehigham · March 21, 2024, 7:02pm

Hi @Yuan_Lian!
I’m sorry to hear you’re having difficulty using hail with dataproc. While I can’t answer your general question about best practices, I can try to help unblock you. My colleague may be able to help with your general question when he returns.

The following documentation pages may be of help:

How to allow your hailctl dataproc cluster to access requester pays buckets: Hail | Google Cloud Platform
How to configure which project hail query should use whith requester pays buckets: Hail | Hail Query Python API

Regarding your issue with permissions, can you confirm if the redacted user “XXX” is your user or the service account associated with your user? You might need to configure your project’s IAM policies to allow access to that user/service account. See the link below for a reference of google’s predefined roles that you can use
https://cloud.google.com/iam/docs/understanding-roles#predefined

Unfortunately I don’t have a list of every permission required so you might need to try a couple of times until you get all of them. Try to keep permissions granted to service accounts to a minimum.

I hope this helps. Let me know if you need futher assistance.
Ed

Topic		Replies	Views
Hail on the cloud Help [0.1]	1	1606	November 11, 2016
Using Hail on the Google Cloud Platform Help [0.1]	18	13688	September 14, 2017
Running Hail 0.2 on Google Cloud Hail Query & hailctl	2	418	February 8, 2019
When I try to create a Dataproc cluster I get PERMISSION_DENIED Hail Query & hailctl	1	78	February 28, 2024
Permission denied (publickey) when trying to connect Dataproc notebook with hailctl Hail Query & hailctl	1	578	February 14, 2021

Best practices for setting up GCP billing for Hail for the first time

Related Topics