This repository was archived by the owner on Mar 4, 2026. It is now read-only.
This repository was archived by the owner on Mar 4, 2026. It is now read-only.
Calling table.insert() with missing permission will cause UncaughtException #1814
Description
If the service account is missing the permission spanner.databases.beginOrRollbackReadWriteTransaction when executing the table.insert(data) method, the node process will crash in an unhandledRejection (ignoring "the catch").
If the service account is only (or also) missing the permission spanner.sessions.create however, or if the project / instance / database doesn't exist, the catch will be hit with the following error:
7 PERMISSION_DENIED: Caller is missing IAM permission spanner.sessions.create on resource.
Something similar was reported (and fixed) here, but this is slightly different as it requires the spanner.sessions.create permission to exist for the requested resource.
Environment details
- OS: windows
- Node.js version: 18.12.1
- npm version: 8.19.2
@google-cloud/spannerversion: 6.7.2
Steps to reproduce
- The account should have all the required permissions to run the code below (like
spanner.sessions.create) but should NOT have the permissionspanner.databases.beginOrRollbackReadWriteTransaction - The project, instance and database must exist.
- Running the following code will give an UncaughtException
'Caller is missing IAM permission spanner.databases.beginOrRollbackReadWriteTransaction on resource projects/.../instances/.../databases/...:
const {Spanner} = require("@google-cloud/spanner");
const spanner = new Spanner({
projectId: 'an-existing-project',
});
const instance = spanner.instance("a-real-instance");
const database = instance.database("an-actual-database");
const table = database.table("SpannerTest");
const insertData = async () => {
try {
await table.insert([{name: "asdf"}]);
} catch (e) {
// Will not be hit
console.error('caught exception', e.message);
}
}
insertData();
Thanks!