Assigned
Status Update
No update yet.
Default access
View
Expanded Access
--
--
--
Issue 397620029
Potential 403 PERMISSION_DENIED Errors When Accessing Agent Builder Web App URL due to Missing `discoveryengine.widgetConfigs.get` Permission
Feature Request
Description
Problem you may have encountered:
You may experience 403 PERMISSION_DENIED errors similar to [1] while trying to access Agent Builder Web App URL. To look this error up you can search the logs in your GCP project with Logs Explorer Filter [2].
Note: This will most likely impact those using a custom role as the required "discoveryengine.widgetConfigs.get" permission [3] was added to the "Discovery Engine User".
Public Documentation Updates Requested:
Public documentation [4] to be updated with the new additional permission needed:
discoveryengine.widgetConfigs.getSteps to reproduce:
Build an Agent Builder Web App and try to access the URL while using a custom role which is missing the permission
discoveryengine.widgetConfigs.get.Solutions
To fix the permission denied issue:
discoveryengine.widgetConfigs.get[3] needs to be added to the role which is attached to the group / user trying to access the Web App."Discovery Enginer User"which should include the [3] permission and any future permissions.You can find more information on IAM permissions in [4] and [5].
[1]
ERROR 2025-02-13T...Z [protoPayload.serviceName: discoveryengine.googleapis.com] [protoPayload.methodName: google.cloud.discoveryengine.v1main.WidgetConfigService.GetWidgetConfig] [protoPayload.resourceName: projects/.../widgetConfigs/...] PERMISSION_DENIED[2] Logs Explorer Filter:
[3]
"discoveryengine.widgetConfigs.get"[4]https://cloud.google.com/generative-ai-app-builder/docs/data-source-access-control#grant-role
[5] Additional information on granting permissions and roles: