Feature/custom worker service account (#711)

* docs for using a custom compute service account

Co-authored-by: Lawrence, Andrew <aelawrence@google.com>

Author: lawrenae

README.md

@@ -18,8 +18,13 @@ Please see the following links for more information:
 *  Blog post: [How Color uses the new Variant Transforms tool for breakthrough clinical data science with BigQuery](https://cloud.google.com/blog/big-data/2018/03/how-color-uses-the-new-variant-transforms-tool-for-breakthrough-clinical-data-science-with-bigquery).
 *  Blog post: [Accelerating Mayo Clinic’s data platform with BigQuery and Variant Transforms](https://cloud.google.com/blog/products/data-analytics/genome-data-analytics-with-google-cloud).
 *  Jupyter notebook: [Sample queries to explore variant data in BigQuery](docs/sample_queries)
+* The underlying pipeline uses
+[Cloud Dataflow](https://cloud.google.com/dataflow/). You can navigate to the
+[Dataflow Console](https://console.cloud.google.com/dataflow), to see more
+detailed view of the pipeline (e.g. number of records being processed, number of workers, more detailed error logs).
+
 
-### Prerequisites
+## Prerequisites
 
 1.  Follow the [getting started](https://cloud.google.com/genomics/docs/how-tos/getting-started)
     instructions on the Google Cloud page.
@@ -100,14 +105,8 @@ gcloud config set project GOOGLE_CLOUD_PROJECT
 gcloud config set compute/region REGION
 ```
 
-If you would like to run Variant Transforms in a custom subnetwork, see the
-[Advanced Flags](docs/setting_region.md#advanced-flags) documentation.
+There are options to control which service account, subnet and similar in the [Advanced Flags](docs/advanced_flags.md) documentation.
 
-The underlying pipeline uses
-[Cloud Dataflow](https://cloud.google.com/dataflow/). You can navigate to the
-[Dataflow Console](https://console.cloud.google.com/dataflow), to see more
-detailed view of the pipeline (e.g. number of records being processed, number of
-workers, more detailed error logs).
 
 ### Running from github
 

docs/advanced_flags.md

@@ -0,0 +1,72 @@
+# Advanced Flags
+
+## Custom Networks
+
+Variant Transforms supports custom networks. This can be used to start the processing VMs in a specific subnetwork of your Google Cloud project as opposed to the default network.
+
+Specify a subnetwork by using the `--subnetwork` flag and provide the name of the subnetwork as follows: `--subnetwork my-subnet`. Just use the name of the subnet, not the full path.
+
+Example:
+```bash
+COMMAND="/opt/gcp_variant_transforms/bin/vcf_to_bq ...
+
+docker run gcr.io/cloud-lifesciences/gcp-variant-transforms \
+  --project "${GOOGLE_CLOUD_PROJECT}" \
+  --subnetwork my-subnet \
+  ...
+  "${COMMAND}"
+```
+
+
+## Removing External IPs
+Variant Transforms allows disabling the use of external IP addresses with the
+`--use_public_ips` flag. If not specified, this defaults to true, so to restrict the
+use of external IP addresses, use `--use_public_ips false`. Note that without external
+IP addresses, VMs can only send packets to other internal IP addresses. To allow these
+VMs to connect to the external IP addresses used by Google APIs and services, you can
+[enable Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
+on the subnet.
+
+Example:
+```bash
+COMMAND="/opt/gcp_variant_transforms/bin/vcf_to_bq ...
+
+docker run gcr.io/cloud-lifesciences/gcp-variant-transforms \
+  --project "${GOOGLE_CLOUD_PROJECT}" \
+  --use_public_ips false \
+  ...
+  "${COMMAND}"
+```
+
+## Custom Dataflow Runner Image
+By default Variant Transforms uses a custom docker image to run the pipeline in: `gcr.io/cloud-lifesciences/variant-transforms-custom-runner:latest`.
+This image contains all the necessary python/linux dependencies needed to run variant transforms so that they are not downloaded from the internet when the pipeline starts.
+
+You can override which container is used by passing a `--sdk_container_image` as in the following example:
+
+```bash
+COMMAND="/opt/gcp_variant_transforms/bin/vcf_to_bq ...
+
+docker run gcr.io/cloud-lifesciences/gcp-variant-transforms \
+  --project "${GOOGLE_CLOUD_PROJECT}" \
+  --sdk_container_image gcr.io/path/to/my/container\
+  ...
+  "${COMMAND}"
+```
+
+## Custom Service Accounts
+By default the dataflow workers will use the [default compute service account](https://cloud.google.com/compute/docs/access/service-accounts#default_service_account). You can override which service account to use with the `--service_account` flag as in the following example:
+
+```bash
+COMMAND="/opt/gcp_variant_transforms/bin/vcf_to_bq ...
+
+docker run gcr.io/cloud-lifesciences/gcp-variant-transforms \
+  --project "${GOOGLE_CLOUD_PROJECT}" \
+  --service_account my-cool-dataflow-worker@<PROJECT_ID>.iam.gserviceaccount.com\
+  ...
+  "${COMMAND}"
+```
+
+**Other Service Account Notes:**
+- The [Life Sciences Service Account is not changable](https://cloud.google.com/life-sciences/docs/troubleshooting#missing_service_account)
+- The [Dataflow Admin Service Account is not changable](https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#service_account)

docs/setting_region.md

@@ -92,57 +92,3 @@ You can choose the region for the BigQuery dataset at dataset creation time.
 
 ![BigQuery dataset region](images/bigquery_dataset_region.png)
 
-## Advanced Flags
-
-Variant Transforms supports custom networks. This can be used to start the processing 
-VMs in a specific subnetwork of your Google Cloud project as opposed to the default 
-network.
-
-Specify a subnetwork by using the `--subnetwork` flag and provide the name of
-the subnetwork as follows: 
-`--subnetwork my-subnet`. Just use the name of the subnet, not the full path.
-
-Variant Transforms allows disabling the use of external IP addresses with the
-`--use_public_ips` flag. If not specified, this defaults to true, so to restrict the
-use of external IP addresses, use `--use_public_ips false`. Note that without external
-IP addresses, VMs can only send packets to other internal IP addresses. To allow these
-VMs to connect to the external IP addresses used by Google APIs and services, you can
-[enable Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
-on the subnet.
-
-For example, to run Variant Transforms in a subnetwork you already created called
-`my-subnet` with no public IP addresses you can add these flags to the
-example above as follows:
-
-```bash
-COMMAND="/opt/gcp_variant_transforms/bin/vcf_to_bq ...
-
-docker run gcr.io/cloud-lifesciences/gcp-variant-transforms \
-  --project "${GOOGLE_CLOUD_PROJECT}" \
-  --region us-central1 \
-  --location us-central1 \
-  --temp_location "${TEMP_LOCATION}" \
-  --subnetwork my-subnet \
-  --use_public_ips false \
-  "${COMMAND}"
-```
-
-## Custom Dataflow Runner Image
-By default Variant Transforms uses a custom docker image to run the pipeline in: `gcr.io/cloud-lifesciences/variant-transforms-custom-runner:latest`.
-This image contains all the necessary python/linux dependencies needed to run variant transforms so that they are not downloaded from the internet when the pipeline starts.
-
-You can override which container is used by passing a `--sdk_container_image` as in the following example:
-
-```bash
-COMMAND="/opt/gcp_variant_transforms/bin/vcf_to_bq ...
-
-docker run gcr.io/cloud-lifesciences/gcp-variant-transforms \
-  --project "${GOOGLE_CLOUD_PROJECT}" \
-  --region us-central1 \
-  --location us-central1 \
-  --temp_location "${TEMP_LOCATION}" \
-  --subnetwork my-subnet \
-  --use_public_ips false \
-  --sdk_container_image gcr.io/path/to/my/container\
-  "${COMMAND}"
-```