Docs: permissions required for service account if using google.batch.serviceAccountEmail

[nick-youngblut]

New feature

The docs at https://www.nextflow.io/docs/latest/google.html#google-cloud and https://seqera.io/blog/nextflow-with-gbatch/ do not state the permissions required if using google.batch.serviceAccountEmail to change the service account used for each GCP Batch job, versus each batch job using the default account. google.batch.serviceAccountEmail is useful when one needs to access GCP resources from batch jobs, and has specific IAM roles set for the target service account to be used for the batch jobs (instead of using the default service account).

Without the correct IAM roles set for the account use via google.batch.serviceAccountEmail, the GCP Batch jobs just stay in the scheduled state forever.

Usage scenario

Any time one wants to use google.batch.serviceAccountEmail.

Suggest implementation

More docs at https://www.nextflow.io/docs/latest/google.html#google-cloud and/or https://seqera.io/blog/nextflow-with-gbatch/.

Maybe also more info at:

google.batch.serviceAccountEmail
Define the Google service account email to use for the pipeline execution. If not specified, the default Compute Engine service account for the project will be used.

Note that the google.batch.serviceAccountEmail service account will only be used for spawned jobs, not for the Nextflow process itself. See the Google Cloud documentation for more information on credentials.

[nick-youngblut]

I see that the roles are listed at https://cloud.google.com/batch/docs/nextflow

It could help to have https://www.nextflow.io/docs/latest/google.html#credentials link to https://cloud.google.com/batch/docs/nextflow