When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:
spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."
The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/
I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.
my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.
Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles
Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).
You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.
Consider this scenario:
person@domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud12345678901-compute@developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.More information on Service Accounts here: https://cloud.google.com/compute/docs/access/service-accounts