chore: IAM Validation added for fail-safe.

Author: pratickchokhani

v1/pom.xml

@@ -559,6 +559,12 @@
       <artifactId>protobuf-java</artifactId>
       <version>4.33.1</version>
     </dependency>
+      <dependency>
+          <groupId>com.google.cloud.teleport.v2</groupId>
+          <artifactId>common</artifactId>
+          <version>1.0-SNAPSHOT</version>
+          <scope>compile</scope>
+      </dependency>
   </dependencies>
 
   <build>

v1/src/main/java/com/google/cloud/teleport/spanner/ImportPipeline.java

@@ -24,9 +24,15 @@
 import com.google.cloud.teleport.metadata.TemplateParameter.TemplateEnumOption;
 import com.google.cloud.teleport.spanner.ImportPipeline.Options;
 import com.google.cloud.teleport.spanner.spannerio.SpannerConfig;
+import com.google.cloud.teleport.v2.iam.IAMCheckResult;
+import com.google.cloud.teleport.v2.iam.IAMPermissionsChecker;
+import com.google.cloud.teleport.v2.iam.IAMRequirementsCreator;
+import com.google.cloud.teleport.v2.iam.IAMResourceRequirements;
+import java.util.Collections;
 import org.apache.beam.runners.dataflow.options.DataflowPipelineOptions;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
+import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
 import org.apache.beam.sdk.options.Default;
 import org.apache.beam.sdk.options.Description;
 import org.apache.beam.sdk.options.PipelineOptions;
@@ -241,6 +247,8 @@ public static void main(String[] args) {
             .withDatabaseId(options.getDatabaseId())
             .withRpcPriority(options.getSpannerPriority());
 
+    validateRequiredPermissions(options);
+
     p.apply(
         new ImportTransform(
             spannerConfig,
@@ -264,4 +272,25 @@ public static void main(String[] args) {
       result.waitUntilFinish();
     }
   }
+
+  private static void validateRequiredPermissions(Options options) {
+    IAMResourceRequirements spannerRequirements =
+        IAMRequirementsCreator.createSpannerResourceRequirement();
+
+    IAMPermissionsChecker iamPermissionsChecker =
+        new IAMPermissionsChecker(
+            options.getSpannerProjectId().get(), options.as(GcpOptions.class));
+    IAMCheckResult missingPermission =
+        iamPermissionsChecker.check(Collections.singletonList(spannerRequirements));
+    if (missingPermission.isSuccess()) {
+      return;
+    }
+    String errorString =
+        "For resource: "
+            + missingPermission.getResourceName()
+            + ", missing permissions: "
+            + missingPermission.getMissingPermissions()
+            + ";";
+    throw new RuntimeException(errorString);
+  }
 }

v2/common/pom.xml

@@ -128,6 +128,11 @@
           <groupId>com.google.protobuf</groupId>
           <artifactId>protobuf-java</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.google.apis</groupId>
+            <artifactId>google-api-services-cloudresourcemanager</artifactId>
+            <version>v3-rev20251103-2.0.0</version>
+        </dependency>
 
         <!-- UDFs -->
         <dependency>

v2/common/src/main/java/com/google/cloud/teleport/v2/iam/IAMCheckResult.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.google.cloud.teleport.v2.iam;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/** Represents the result of an IAM permission check on a specific resource. */
+public class IAMCheckResult {
+  private final String resourceName;
+  private final List<String> missingPermissions;
+
+  public IAMCheckResult(String resourceName, List<String> missingPermissions) {
+    this.resourceName = resourceName;
+    this.missingPermissions = new ArrayList<>(missingPermissions);
+  }
+
+  public String getResourceName() {
+    return resourceName;
+  }
+
+  public List<String> getMissingPermissions() {
+    return new ArrayList<>(missingPermissions);
+  }
+
+  public boolean isSuccess() {
+    return missingPermissions.isEmpty();
+  }
+
+  @Override
+  public String toString() {
+    return "IAMCheckResult{"
+        + "resourceName='"
+        + resourceName
+        + '\''
+        + ", missingPermissions="
+        + missingPermissions
+        + ", success="
+        + isSuccess()
+        + '}';
+  }
+}

v2/common/src/main/java/com/google/cloud/teleport/v2/iam/IAMPermissionsChecker.java

@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.google.cloud.teleport.v2.iam;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.http.HttpRequestInitializer;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.services.cloudresourcemanager.v3.CloudResourceManager;
+import com.google.api.services.cloudresourcemanager.v3.model.TestIamPermissionsRequest;
+import com.google.api.services.cloudresourcemanager.v3.model.TestIamPermissionsResponse;
+import com.google.auth.Credentials;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.common.annotations.VisibleForTesting;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.stream.Collectors;
+import org.apache.beam.sdk.extensions.gcp.auth.NullCredentialInitializer;
+import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** Utility to check IAM permissions for various GCP resources. */
+public class IAMPermissionsChecker {
+  private static final Logger LOG = LoggerFactory.getLogger(IAMPermissionsChecker.class);
+  private final Credentials credential;
+  private static final String RESOURCE_NAME_FORMAT = "projects/%s";
+  private final String projectIdResource;
+
+  @VisibleForTesting static CloudResourceManager resourceManagerForTesting;
+
+  public IAMPermissionsChecker(String projectId, GcpOptions gcpOptions) {
+    this.credential = gcpOptions.getGcpCredential();
+    this.projectIdResource = String.format("projects/%s", projectId);
+  }
+
+  @VisibleForTesting
+  static void setResourceManagerForTesting(CloudResourceManager resourceManager) {
+    resourceManagerForTesting = resourceManager;
+  }
+
+  /**
+   * Checks IAM permissions for a list of requirements.
+   *
+   * @param requirements List of resources and required permissions.
+   * @return List of results, only missing permissions are included. Empty list indicate all the
+   *     requirements are met.
+   */
+  public IAMCheckResult check(List<IAMResourceRequirements> requirements) {
+    try {
+      CloudResourceManager resourceManager = createCloudResourceManagerService();
+
+      List<String> permissionList =
+          requirements.stream()
+              .map(IAMResourceRequirements::getPermissions)
+              .flatMap(Collection::stream)
+              .toList();
+      return check(resourceManager, permissionList);
+    } catch (IOException | GeneralSecurityException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  /**
+   * Checks IAM permissions for a single requirement list.
+   *
+   * @param requiredPermissions required permissions.
+   * @return Result of the check. It contains list of missing permissions.
+   */
+  private IAMCheckResult check(
+      CloudResourceManager resourceManager, List<String> requiredPermissions) {
+    HashSet<String> grantedPermissions =
+        new HashSet<>(checkPermission(resourceManager, projectIdResource, requiredPermissions));
+
+    List<String> missingPermissions =
+        requiredPermissions.stream()
+            .filter(p -> !grantedPermissions.contains(p))
+            .collect(Collectors.toList());
+
+    return new IAMCheckResult(projectIdResource, missingPermissions);
+  }
+
+  private List<String> checkPermission(
+      CloudResourceManager resourceManager, String resourceName, List<String> permissions) {
+    try {
+
+      TestIamPermissionsRequest requestBody =
+          new TestIamPermissionsRequest().setPermissions(permissions);
+
+      TestIamPermissionsResponse testIamPermissionsResponse =
+          resourceManager.projects().testIamPermissions(resourceName, requestBody).execute();
+
+      List<String> granted = testIamPermissionsResponse.getPermissions();
+      return granted == null ? Collections.emptyList() : granted;
+    } catch (IOException e) {
+      throw new RuntimeException("Failed to check project permissions", e);
+    }
+  }
+
+  private CloudResourceManager createCloudResourceManagerService()
+      throws IOException, GeneralSecurityException {
+    if (resourceManagerForTesting != null) {
+      return resourceManagerForTesting;
+    }
+    HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
+    JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
+    HttpRequestInitializer initializer = getHttpRequestInitializer(this.credential);
+    CloudResourceManager service =
+        new CloudResourceManager.Builder(httpTransport, jsonFactory, initializer)
+            .setApplicationName("service-accounts")
+            .build();
+    return service;
+  }
+
+  private static HttpRequestInitializer getHttpRequestInitializer(Credentials credential)
+      throws IOException {
+    if (credential == null) {
+      try {
+        return GoogleCredential.getApplicationDefault();
+      } catch (Exception e) {
+        return new NullCredentialInitializer();
+      }
+    } else {
+      return new HttpCredentialsAdapter(credential);
+    }
+  }
+}

v2/common/src/main/java/com/google/cloud/teleport/v2/iam/IAMRequirementsCreator.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.google.cloud.teleport.v2.iam;
+
+import com.google.common.collect.ImmutableList;
+import java.util.List;
+
+public class IAMRequirementsCreator {
+  private static final List<String> SPANNER_PERMISSIONS =
+      ImmutableList.of(
+          "spanner.databases.beginOrRollbackReadWriteTransaction",
+          "spanner.databases.beginPartitionedDmlTransaction",
+          "spanner.databases.beginReadOnlyTransaction",
+          "spanner.databases.create",
+          "spanner.databases.drop",
+          "spanner.databases.get",
+          "spanner.databases.getDdl",
+          "spanner.databases.list",
+          "spanner.databases.partitionQuery",
+          "spanner.databases.partitionRead",
+          "spanner.databases.read",
+          "spanner.databases.select",
+          "spanner.databases.update",
+          "spanner.databases.updateDdl",
+          "spanner.databases.write",
+          "spanner.instances.get",
+          "spanner.instances.list");
+
+  public static IAMResourceRequirements createSpannerResourceRequirement() {
+    return new IAMResourceRequirements(SPANNER_PERMISSIONS);
+  }
+}

v2/common/src/main/java/com/google/cloud/teleport/v2/iam/IAMResourceRequirements.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.google.cloud.teleport.v2.iam;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/** Represents the IAM permissions required on a specific GCP resource. */
+public class IAMResourceRequirements {
+  private final List<String> permissions;
+
+  public IAMResourceRequirements(List<String> permissions) {
+    if (permissions == null || permissions.isEmpty()) {
+      throw new IllegalArgumentException("Permissions list must not be empty");
+    }
+    this.permissions = new ArrayList<>(permissions);
+  }
+
+  public List<String> getPermissions() {
+    return new ArrayList<>(permissions);
+  }
+
+  @Override
+  public String toString() {
+    return getClass().getSimpleName() + "{" + "permissions=" + permissions + '}';
+  }
+}

v2/common/src/main/java/com/google/cloud/teleport/v2/iam/package-info.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) 2020 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+/** IAM validatory Utility classes for templates. */
+package com.google.cloud.teleport.v2.iam;