Skip to main content
Solved

Issues using Data Export (Enhanced) API and secops export CLI: 403 PERMISSION_DENIED and 400 INVALID_ARGUMENT

  • November 17, 2025
  • 4 replies
  • 86 views
msugar_t
Forum|alt.badge.img+2

Hi everyone,

I want to export raw logs from our Google SecOps instance to a GCS bucket in the same region (northamerica-northeast2, Toronto) using the Data Export (Enhanced) API (directly with curl or the secops export CLI (https://github.com/google/secops-wrapper).

However, I’m running into two main issues:

  1. Listing export jobs

    • secops export list and the corresponding GET projects/.../dataExports REST call both return:

      {
        "error": {
          "code": 403,
          "message": "The caller does not have permission",
          "status": "PERMISSION_DENIED"
        }
      }

    • This happens for me and for our SecOps administrator, who supposedly has full admin access in the SecOps UI.

  2. Creating export jobs

    • secops export create --gcs-bucket "projects/<project>/buckets/<bucket>" --all-logs --time-window 24 prints a warning that no log types are available for export, then fails with:

      {
        "error": {
          "code": 400,
          "message": "invalid resource",
          "status": "INVALID_ARGUMENT"
        }
      }

    • A direct POST projects/.../dataExports with a JSON body containing startTime, endTime, gcsBucket, and an includeLogTypes entry for PAN_FIREWALL results in the same 400 "invalid resource" error.

    • I’ve tried gcsBucket with both the project ID and project number (projects/<id>/buckets/<bucket> and projects/<number>/buckets/<bucket>), with no change.

What I’ve already checked / done:

  • Search works: secops search --query 'metadata.log_type = "PAN_FIREWALL"' returns events, so the data is there and searchable.

  • Bucket region: GCS bucket is in NORTHAMERICA-NORTHEAST2, matching the SecOps region.

  • SecOps service account IAM:

    • Fetched via dataExports:fetchServiceAccountForDataExport.

    • That service account has roles/storage.objectAdmin and roles/storage.legacyBucketReader on the bucket.

  • CLI config: secops config is set with the correct customer ID, project ID, and region northamerica-northeast2.

  • Tried both CLI and raw API: errors are identical, so it doesn’t seem to be just a wrapper CLI issue.

  • SecOps admin tested as well: they see the same 403 on list and 400 on create.

Questions for the community:

  • Has anyone seen 403 PERMISSION_DENIED on dataExports.list even when using a SecOps admin account that otherwise has full access?

  • For those who have Data Export (Enhanced) working, what exact format do you use for gcsBucket (project ID vs project number), and are there any tenant- or project-level constraints that could cause "invalid resource"?

  • Are there any additional steps to fully enable Data Export (Enhanced) for a tenant beyond what’s in the public documentation (e.g., support-side feature flag)?

Any insights, known gotchas, or working examples (with sensitive details redacted) would be greatly appreciated.

Best answer by msugar_t

Google Support confirmed that the "exportV2" feature was not enabled on our instance. After they enabled it, some functionality started working, but the API still doesn't fully deliver what the documentation describes.

I've closed the support case for now and will revisit this next year once the Data Export (Enhanced) API has matured further.

Regarding "UDM Export": Thanks to kentphelps for the suggestion. Google Support clarified that it's not relevant to this case, since the Data Export (Enhanced) API only exports raw events, not UDM-parsed events.

Hope this helps anyone else running into similar issues.

4 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • November 20, 2025

I believe you want to open a support case and see if the UDM Export feature is provisioned and enabled for your instance.

msugar_t
Forum|alt.badge.img+2
  • msugar_t
  • Author
  • New Member
  • November 25, 2025

I believe you want to open a support case and see if the UDM Export feature is provisioned and enabled for your instance.

 

Yes, I’ve already opened a support case, and I’ll add a request to confirm that the UDM Export feature is enabled.

Thanks.

msugar_t
Forum|alt.badge.img+2
  • msugar_t
  • Author
  • New Member
  • Answer
  • November 28, 2025

Google Support confirmed that the "exportV2" feature was not enabled on our instance. After they enabled it, some functionality started working, but the API still doesn't fully deliver what the documentation describes.

I've closed the support case for now and will revisit this next year once the Data Export (Enhanced) API has matured further.

Regarding "UDM Export": Thanks to kentphelps for the suggestion. Google Support clarified that it's not relevant to this case, since the Data Export (Enhanced) API only exports raw events, not UDM-parsed events.

Hope this helps anyone else running into similar issues.

harry21
Forum|alt.badge.img
  • harry21
  • New Member
  • November 29, 2025

I believe you want to open a support case and see if the UDM Export feature is provisioned and enabled for your instance.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.