Unable to use plugin with GKE Workload Identity

[medzin]

Bug Report

I'm unable to use the plugin with GKE Workload Identity. I get following error:

required: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

Data source configuration:

- name: xxx
  type: doitintl-bigquery-datasource
  access: proxy
  jsonData:
    authenticationType: gce
    defaultProject: xxx

Steps to Reproduce the Problem

1. Deploy Grafana Helm chart on GKE cluster
2. Configure Workload Identity for the grafana service account
3. Add BigQuery data source and test it

Specifications

• Version: 1.0.7
• Platform: Docker/GKE
• Grafana Version: v6.7.1

[Fryuni]

I just installed it and worked perfectly, that was the easiest part. I granted these roles to the service account:

    "roles/bigquery.dataViewer",
    "roles/bigquery.metadataViewer",
    "roles/bigquery.user",
    "roles/bigquery.jobUser",

[LiorRacer]

Hi @medzin,
I believe you need to create a link between the service accounts as described here.
And verify that the service account has the right roles as @Fryuni mentioned.

[medzin]

@LiorRacer @Fryuni What version of GKE you were using?

[Fryuni]

@medzin We use GKE stable release channel (currently 1.14.10-gke.36) on our production deployment and regular channel (currently 1.16.8-gke.15) on our test deployment