Google Cloud Platform - Managing Access using IAM in BigQuery
Last Updated : 30 Mar, 2023
While big data brings us valuable insights and opportunities, it also brings the responsibility to ensure that data is secure, meaning that only the right data is shared with the right people. In this article, we're talking about how to use Google Cloud's Identity and Access Management Service to define which users can query in your projects and access your data sets.
BigQuery's a fully managed service. That means it takes advantage of Google's infrastructure security. Google secures its infrastructure end to end, from the physical security of its services to stringent operational practices.
But this article is about the role you play in keeping your projects and data secure. Specifically, how you share project and data set access with different end-users and groups in your company. The key to managing access to your projects and data is the Identity and Access Management Service or IAM.
Cloud IAM allows you to manage access control by defining three things:
Meaning you specify who has what access to which resource. Let's take a closer look at each of these.
Member:
First, the member, or who has access. You can define a member in several ways. One way is to identify end-users by their email address if it's associated with a Google account. You can also set access for a group of users by using a Google Group, G Suite domain, or Cloud Identity domain as the member. Sometimes it's not a person, but an application or service that needs access to your BigQuery data. In this case, you can create a service account, which is a special type of Google account intended to represent a non-human user. When you create a service account, it is assigned a special address which can be used as the member's identity when defining access. When you give a data set access to any logged user, there is a special identifier called, all authenticated users, which you can use as the member in this case. This is exactly how we make our BigQuery public data sets available to all BigQuery users.
Role:
Once you have defined the member, you need to decide what role to give that member. A role includes a set of permissions that determines which operations the member is allowed to perform. Cloud IAM provides several predefined roles that include a combination of these permissions.
| Role | Description |
|---|
| BigQuery Admin | Manage all resources and data within the project |
| BigQuery Data Owner | Access to edit and share datasets and tables |
| BigQuery Data Editor | Access to edit datasets and all its tables |
| BigQuery Data Viewer | Access to view datasets and all its tables |
| BigQuery Job User | Access to run jobs, including queries |
| BigQuery User | Access to run queries and create datasets |
| BigQuery Metadata Viewer | Access to view table and dataset metadata |
They include things like the ability to view or edit data sets, and the ability to run queries and store data that are billed to the project. It is also possible to create custom roles. These allow you to bundle one or more permissions into a role to meet your specific needs. You will have to manage your custom role as new features, permissions, and services are added to Google Cloud. So for this reason, it is recommended to stick with predefined roles. You can always assign more than one predefined role to a member.
Policy:
Together, the member and the role make up the policy, which is then applied to a specific resource. The policy could be attached to a specific table, data set, or the GCP project itself. At the project level, permissions apply to all current and future data sets that are part of the project.
Let's see how it works in a specific scenario. Suppose you're a retail company with two groups of data analysts. The first group analyzes your retail sales, and the second analyzes customer service requests. These two types of data are stored in separate data sets within your project. Both groups of analysts need full access, read and write, to the data set that they work on and access to run queries on the project.
Let's head to the console and set up the policies. You'll start by giving the sales analysts the BigQuery data editor role for the retail sales data set. To set roles at the data set level, select the data set from resources, then click share data set near the right-hand side of the window. On the data set permissions tab, enter the entity you want to add into the Add Members text box. To select a role, select BigQuery data editor and click Add. Then click done.
Then follow the same steps to give the customer service analysts the BigQuery data editor role for the customer service data set. You'll notice we're using Google groups to grant roles. Google groups are a convenient way to create a policy for the collection of users. You can grant and change access for a whole group at once, instead of individual users one at a time.
Then you can easily add or remove members directly from the Google Group itself. Giving the analyst the data editor role at the data set level gives them the ability to access all the tables within that particular data set, but it does not give them the permission to actually run queries billed to that project. For that, they must be granted the project level role called, BigQuery user. To grant roles at the project level, you'll need to head to the navigation window. Hover over IAM in admin and then click to select IAM.
At the top of the screen, click add. In the new members box, enter both email addresses to represent your analyst groups.
Select the BigQuery user role and click Save.
Now your two teams are ready and equipped to analyze their data securely.
Similar Reads
Google Cloud Platform Tutorial Google Cloud Platform (GCP) is a set of cloud services provided by Google, built on the same technology that powers Google services like Search, Gmail, YouTube, Google Docs, and Google Drive. Many companies prefer GCP because it can be up to 20% cheaper for storing data and databases compared to oth
8 min read
Introduction
What is Google Cloud Platform (GCP)?Google Cloud Platform (GCP) is a cloud computing service by Google that helps businesses, developers, and enterprises run applications, store data, and manage workloads on a secure, scalable, and high-performance infrastructure. Whether you're building a website, handling large datasets, or running
15+ min read
Introduction to Google Cloud PlatformGoogle Cloud Platform (GCP) is an initiative by Google to provide cloud computing services to customers. These services run on the same infrastructure and platform on which Google services such as Gmail, YouTube, etc run. GCP was launched on April 7, 2008, and the complete set of services and the pl
5 min read
Cloud Storage in Google Cloud Platform (GCP)Google Cloud Storage is a secure, scalable, and high-performance storage solution that lets businesses store, manage, and retrieve data effortlessly. It’s designed for big data analytics, media storage, backups, and disaster recovery, making it a go-to option for enterprises looking for cost-effecti
8 min read
Features of Google Cloud PlatformGoogle Cloud Platform (GCP) is Google’s cloud computing service that helps businesses build, deploy, and scale applications on a secure, global infrastructure. It offers powerful features like virtual machines, cloud storage, databases, AI, machine learning, and big data tools. GCP reduces infrastru
5 min read
Google Cloud Platform - Introduction to QwiklabsQwiklabs provides lab learning environments that help developers and IT professionals get hands-on experience working with leading cloud platforms and software. Qwiklabs provides temporary credentials to Google Cloud Platform and Amazon Web Services so that you can get a real-life experience by work
3 min read
Compute Services
Storage and Database Services
Networking Services
Security Services
Google Cloud Platform SecurityCloud computing is now the backbone of apps, services, and businesses we use daily—Gmail and Google Docs to large enterprise systems. At its core is Google Cloud Platform (GCP), a robust cloud service used by startups, global enterprises, and governments. Great power, however, brings great responsib
15+ min read
Access Control for Disaster Avoidance in Google Cloud IoT Core using IAM PolicyInternet of Things(IoT) is today's one of the most used technologies to establish the network between physical devices. In the case of the Cloud IoT, the cloud technology has added extra value by providing massive support to the modern IoT automation to make it more secure, managed, scalable and so
4 min read
Data Integration and Analytics Services
Introduction to DatabricksDatabricks is a cloud-based platform for managing and analyzing large datasets using the Apache Spark open-source big data processing engine. It offers a unified workspace for data scientists, engineers, and business analysts to collaborate, develop, and deploy data-driven applications. Databricks i
5 min read
Google Cloud Platform - Introduction to BigQueryGoogle BigQuery is a fully managed, serverless data warehouse designed to help businesses store and analyze large volumes of data quickly and efficiently. Whether you're dealing with massive datasets or real-time analytics, BigQuery allows you to run complex queries and get insights in seconds witho
8 min read
Google Cloud Platform - Introduction to BigQuery SandboxBigQuery sandbox gives you free access to try out BigQuery and use the UI without providing a credit card or using a billing account. It's a quick way to get started and try out some BigQuery concepts. To get started, click on this link and follow along with the rest of the article. If you're a new
2 min read
Google Cloud Platform - Tables in BigQueryTables in BigQuery or any database for that matter is used to store data in a structured manner. In this article, we will explore the concepts of the three types of table available in BigQuery: Temporary TablesPermanent TablesViews (Virtual Tables)Temporary Tables: Just as BigQuery automatically sav
3 min read
Google Cloud Platform- BigQuery(Running Queries, advantage and disadvantage)In this article, we're going to look into how to run a query in BigQuery. Running queries is one of the most fundamental parts of discovering insights from your data. So let's ask an outrageous question to BigQuery here and ask it "what is the best jersey number you should choose in order to improve
7 min read
Google Cloud Platform - User Defined Functions in BigQuerySQL has many built-in functions for performing calculations on data. But sometimes, your systems might need to handle data, such as string or date values, uniquely. User-defined functions are an efficient way to have these custom calculations at your fingertips when analyzing data. In this article,
4 min read
Google Cloud Platform - Working with External Data in BigQueryIn BigQuery it's also possible to query data stored externally or outside BigQuery. In this article, we're diving into these external data sources. It's possible to leave your data in any place and use BigQuery as your query engine. These sources are called external or federated data sources. This f
4 min read
Google Cloud Platform - Loading Data to BigQueryIn this article, we will look into how to load and analyze your own data in BigQuery. As it is better to understand the concept with examples, we will be answering the age-old question "Which is better, cats or dogs?" If you want to analyze data that are not already available as part of the public d
5 min read
Google Cloud Platform - Implementing Authorized View in BigQueryIn this article, we will look into how you can implement an Authorized view in BigQuery.You can follow along in your own BigQuery sandbox, which you can set up for free. For this, we're using two sandboxes in order to represent the perspectives of the data admin. As a data admin follow the below ste
3 min read
Google Cloud Platform - Query History vs Saved Query vs Shared Query in BigQueryThe process of writing and running SQL queries doesn't always follow a straight line. A particular query can be in constant iteration while you use it to explore and clean up your data, or as you fine-tune it to optimize its performance. In this article, we will highlight the ways to save and share
3 min read
Google Cloud Platform - Managing Access using IAM in BigQueryWhile big data brings us valuable insights and opportunities, it also brings the responsibility to ensure that data is secure, meaning that only the right data is shared with the right people. In this article, we're talking about how to use Google Cloud's Identity and Access Management Service to de
5 min read
Google Cloud Platform - Data Visualization in BigQueryWhether you're exploring a data set for the first time or summarizing the findings of your analysis to an audience, you can use data visualization to make large, complex data sets easier to understand and internalize. In this article, we will look into visualizing your BigQuery data. Data visualizat
4 min read
Google Cloud Platform - Data Security in BigQueryOne of the benefits of a data warehouse, like BigQuery, is the improved simplicity and speed of bringing data to your analysts and decision-makers. Data needs to vary across a company based on organizational function, geography, and more, so it's important to be able to provide customized access to
3 min read
Management tools and Monitoring Services
GCP DevOps
Miscellaneous
Difference Between Google Cloud and AWSGoogle Cloud Platform: It is a suite of cloud computing services developed by Google and launched publicly in 2008. Google Cloud Platform provides IaaS, PaaS, and serverless computing environments. A comparatively new Google Cloud Platform has all the tools and services required by developers and pr
3 min read
How To Share File From Host Machine(Windows) To Guest Machine(Linux)We need to have Ubuntu installed in our Virtual Box for the purpose of this experiment. The host machine is Windows 10 in the following experiment. Transfer File From Host Machine(Windows) To Guest Machine(Linux) 1. Method 1: Installing SSH on Ubuntu Terminal and allowing Firewall blockage Open Term
4 min read
Deployment Models in OpenStackPre-requisite: OpenStack OpenStack has a set of software tools for providing various cloud computing platforms for public and private clouds. OpenStack is managed by the OpenStack Foundation, a non-profit that oversees both development and community-building around that project. OpenStack is the fut
4 min read
How to Build G Suite Add-ons with Google Apps script?G Suite is a Google service that provides access to a core set of applications like Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Meet, etc. Add-ons means the extension given to the pre-existing G Suite products (mentioned above). Developers can add many extra features to such products. Add-o
3 min read
Google Cloud Platform - Introduction to PhoneInfoga an OSINT Reconnaissance ToolPhoneInfoga is one of the most advanced tools which one can use to scan phone numbers and get detailed information about them using only free resources. The motive is to gather basic information such as country, area, line, and carrier on any international phone numbers with very good accuracy. Then
3 min read
Generating API Keys For Using Any Google APIsLike most software giants, Google provides its enthusiastic developers community with its APIs, SDKs and Services. These APIs from Google are hosted on their cloud platform, popularly known as Google Cloud Platform (GCP). Software such as Google Maps, YouTube, Gmail, etc., use the same APIs and now
3 min read
Google Cloud Platform - Understanding Federated Learning on CloudCrowdsourcing has a wide range of benefits. Whether it's restaurant reviews that help us find a perfect place for dinner or crowdfunding to bring our favorite TV show back to life, these distributed contributions combined to make some super useful tools. We can also use that same concept to build be
3 min read