Control access to resources with IAM
This document describes how to view the current access policy of a resource, how to grant access to a resource, and how to revoke access to a resource.
This document assumes familiarity with the Identity and Access Management (IAM) system in Google Cloud.
Required roles
To get the permissions that you need to modify IAM policies for resources,
ask your administrator to grant you the
BigQuery Data Owner (roles/bigquery.dataOwner
) IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to modify IAM policies for resources. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to modify IAM policies for resources:
-
To get a dataset's access policy:
bigquery.datasets.get
-
To set a dataset's access policy:
bigquery.datasets.update
-
To get a dataset's access policy (Google Cloud console only):
bigquery.datasets.getIamPolicy
-
To set a dataset's access policy (console only):
bigquery.datasets.setIamPolicy
-
To get a table or view's policy:
bigquery.tables.getIamPolicy
-
To set a table or view's policy:
bigquery.tables.setIamPolicy
-
To create bq tool or SQL BigQuery jobs (optional):
bigquery.jobs.create
You might also be able to get these permissions with custom roles or other predefined roles.
View the access policy of a resource
The following sections describe how to view the access policies of different resources.
View the access policy of a dataset
Select one of the following options:
Console
Go to the BigQuery page.
In the Explorer pane, expand your project and select a dataset.
Click > Permissions.
SharingThe dataset access policies appear in the Dataset Permissions pane.
bq
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To get an existing policy and output it to a local file in JSON, use the
bq show
command in Cloud Shell:bq show \ --format=prettyjson \ PROJECT_ID:DATASET > PATH_TO_FILE
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of your dataset
- PATH_TO_FILE: the path to the JSON file on your local machine
API
To view the access policy of a dataset, call the
datasets.get
method with a defined
dataset
resource.
The policy is available in the access
property of the returned dataset
resource.
View the access policy of a table or view
Select one of the following options:
Console
Go to the BigQuery page.
In the Explorer pane, expand your project and select a table or view.
Click
Share.The table or view access policies appear in the Share pane.
bq
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To get an existing access policy and output it to a local file in JSON, use the
bq get-iam-policy
command in Cloud Shell:bq get-iam-policy \ --table=true \ PROJECT_ID:DATASET.RESOURCE > PATH_TO_FILE
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of your dataset
- RESOURCE: the name of the table or view whose policy you want to view
- PATH_TO_FILE: the path to the JSON file on your local machine
API
To retrieve the current policy, call the
tables.getIamPolicy
method.
Grant access to a resource
The following sections describe how to grant access to different resources.
Grant access to a dataset
Select one of the following options:
Console
Go to the BigQuery page.
In the Explorer pane, expand your project and select a dataset to share.
Click > Permissions.
SharingClick
Add principal.In the New principals field, enter a principal.
In the Select a role list, select a predefined role or a custom role.
Click Save.
To return to the dataset info, click Close.
SQL
To grant principals access to datasets, use the
GRANT
DCL statement:
In the Google Cloud console, go to the BigQuery page.
In the query editor, enter the following statement:
GRANT `ROLE_LIST` ON SCHEMA RESOURCE_NAME TO "USER_LIST"
Replace the following:
ROLE_LIST
: a role or list of comma-separated roles that you want to grantRESOURCE_NAME
: the name of the resource that you want to grant the permission onUSER_LIST
: a comma-separated list of users that the role is granted toFor a list of valid formats, see
user_list
.
Click
Run.
For more information about how to run queries, see Run an interactive query.
The following example grants the Data Viewer role on the dataset
myDataset
:
GRANT `roles/bigquery.dataViewer`
ON SCHEMA `myProject`.myDataset
TO "user:raha@example-pet-store.com", "user:sasha@example-pet-store.com"
bq
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To write the existing dataset information (including access controls) to a JSON file, use the
bq show
command:bq show \ --format=prettyjson \ PROJECT_ID:DATASET > PATH_TO_FILE
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of your dataset
- PATH_TO_FILE: the path to the JSON file on your local machine
Make changes to the
access
section of the JSON file. You can add to any of thespecialGroup
entries:projectOwners
,projectWriters
,projectReaders
, andallAuthenticatedUsers
. You can also add any of the following:userByEmail
,groupByEmail
, anddomain
.For example, the
access
section of a dataset's JSON file would look like the following:{ "access": [ { "role": "READER", "specialGroup": "projectReaders" }, { "role": "WRITER", "specialGroup": "projectWriters" }, { "role": "OWNER", "specialGroup": "projectOwners" }, { "role": "READER", "specialGroup": "allAuthenticatedUsers" }, { "role": "READER", "domain": "domain_name" }, { "role": "WRITER", "userByEmail": "user_email" }, { "role": "READER", "groupByEmail": "group_email" } ], ... }
When your edits are complete, use the
bq update
command and include the JSON file using the--source
flag. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format:PROJECT_ID:DATASET
.bq update \ --source PATH_TO_FILE \ PROJECT_ID:DATASET
To verify your access control changes, use the
bq show
command again without writing the information to a file:bq show --format=prettyjson PROJECT_ID:DATASET
Terraform
Use the
google_bigquery_dataset_iam
resources to update
access to a dataset.
Set the access policy for a dataset
The following example shows how to use the
google_bigquery_dataset_iam_policy
resource
to set the IAM policy for the
mydataset
dataset. This replaces any existing policy already attached
to the dataset:
# This file sets the IAM policy for the dataset created by # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_dataset/main.tf. # You must place it in the same local directory as that main.tf file, # and you must have already applied that main.tf file to create # the "default" dataset resource with a dataset_id of "mydataset". data "google_iam_policy" "iam_policy" { binding { role = "roles/bigquery.admin" members = [ "user:hao@altostrat.com", ] } binding { role = "roles/bigquery.dataOwner" members = [ "group:dba@altostrat.com", ] } binding { role = "roles/bigquery.dataEditor" members = [ "serviceAccount:bqcx-1234567891011-12a3@gcp-sa-bigquery-condel.iam.gserviceaccount.com", ] } } resource "google_bigquery_dataset_iam_policy" "dataset_iam_policy" { dataset_id = google_bigquery_dataset.default.dataset_id policy_data = data.google_iam_policy.iam_policy.policy_data }
Set role membership for a dataset
The following example shows how to use the
google_bigquery_dataset_iam_binding
resource
to set membership in a given role for the
mydataset
dataset. This replaces any existing membership in that role.
Other roles within the IAM policy for the dataset
are preserved:
# This file sets membership in an IAM role for the dataset created by # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_dataset/main.tf. # You must place it in the same local directory as that main.tf file, # and you must have already applied that main.tf file to create # the "default" dataset resource with a dataset_id of "mydataset". resource "google_bigquery_dataset_iam_binding" "dataset_iam_binding" { dataset_id = google_bigquery_dataset.default.dataset_id role = "roles/bigquery.jobUser" members = [ "user:raha@altostrat.com", "group:analysts@altostrat.com" ] }
Set role membership for a single principal
The following example shows how to use the
google_bigquery_dataset_iam_member
resource
to update the IAM policy for the
mydataset
dataset to grant a role to one principal. Updating this
IAM policy does not affect access for any other principals
that have been granted that role for the dataset.
# This file adds a member to an IAM role for the dataset created by # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_dataset/main.tf. # You must place it in the same local directory as that main.tf file, # and you must have already applied that main.tf file to create # the "default" dataset resource with a dataset_id of "mydataset". resource "google_bigquery_dataset_iam_member" "dataset_iam_member" { dataset_id = google_bigquery_dataset.default.dataset_id role = "roles/bigquery.user" member = "user:yuri@altostrat.com" }
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
-
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
-
In Cloud Shell, create a directory and a new
file within that directory. The filename must have the
.tf
extension—for examplemain.tf
. In this tutorial, the file is referred to asmain.tf
.mkdir DIRECTORY && cd DIRECTORY && touch main.tf
-
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf
.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
-
Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgrade
option:terraform init -upgrade
Apply the changes
-
Review the configuration and verify that the resources that Terraform is going to create or
update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
-
Apply the Terraform configuration by running the following command and entering
yes
at the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
API
To apply access controls when the dataset is created, call the
datasets.insert
method
with a defined
dataset resource.
To update your access controls, call the
datasets.patch
method and use
the access
property in the Dataset
resource.
Because the datasets.update
method replaces the entire dataset resource,
datasets.patch
is the preferred method for updating access controls.
Go
Before trying this sample, follow the Go setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Go API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Java
Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Python
Before trying this sample, follow the Python setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Python API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Set thedataset.access_entries
property
with the access controls for a dataset. Then call the
client.update_dataset()
function to update the property.
Grant access to a table or view
Select one of the following options:
Console
Go to the BigQuery page.
In the Explorer pane, expand your project and select a table or view to share.
Click
Share.Click
Add principal.In the New principals field, enter a principal.
In the Select a role list, select a predefined role or a custom role.
Click Save.
To return to the table or view details, click Close.
SQL
To grant principals access to tables or views, use the
GRANT
DCL statement:
In the Google Cloud console, go to the BigQuery page.
In the query editor, enter the following statement:
GRANT `ROLE_LIST` ON RESOURCE_TYPE RESOURCE_NAME TO "USER_LIST"
Replace the following:
ROLE_LIST
: a role or list of comma-separated roles that you want to grantRESOURCE_TYPE
: the type of resource that the role is applied toSupported values include
TABLE
,VIEW
,MATERIALIZED VIEW
andEXTERNAL TABLE
.RESOURCE_NAME
: the name of the resource that you want to grant the permission onUSER_LIST
: a comma-separated list of users that the role is granted toFor a list of valid formats, see
user_list
.
Click
Run.
For more information about how to run queries, see Run an interactive query.
The following example grants the Data Viewer role on the table
myTable
:
GRANT `roles/bigquery.dataViewer`
ON TABLE `myProject`.myDataset.myTable
TO "user:raha@example-pet-store.com", "user:sasha@example-pet-store.com"
bq
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To grant access to a table or view, use the
bq add-iam-policy-binding
command:bq add-iam-policy-binding --member=MEMBER_TYPE:MEMBER --role=ROLE --table=true RESOURCE
Replace the following:
- MEMBER_TYPE: the type of member, such as
user
,group
,serviceAccount
, ordomain
. - MEMBER: the member's email address or domain name.
- ROLE: the role that you want to grant to the member.
- RESOURCE: the name of the table or view whose policy you want to update.
- MEMBER_TYPE: the type of member, such as
Terraform
Use the
google_bigquery_table_iam
resources to update access to a table.
Set the access policy for a table
The following example shows how to use the
google_bigquery_table_iam_policy
resource
to set the IAM policy for the
mytable
table. This replaces any existing policy already attached
to the table:
# This file sets the IAM policy for the table created by # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_table/main.tf. # You must place it in the same local directory as that main.tf file, # and you must have already applied that main.tf file to create # the "default" table resource with a table_id of "mytable". data "google_iam_policy" "iam_policy" { binding { role = "roles/bigquery.dataOwner" members = [ "user:raha@altostrat.com", ] } } resource "google_bigquery_table_iam_policy" "table_iam_policy" { dataset_id = google_bigquery_table.default.dataset_id table_id = google_bigquery_table.default.table_id policy_data = data.google_iam_policy.iam_policy.policy_data }
Set role membership for a table
The following example shows how to use the
google_bigquery_table_iam_binding
resource
to set membership in a given role for the
mytable
table. This replaces any existing membership in that role.
Other roles within the IAM policy for the table
are preserved.
# This file sets membership in an IAM role for the table created by # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_table/main.tf. # You must place it in the same local directory as that main.tf file, # and you must have already applied that main.tf file to create # the "default" table resource with a table_id of "mytable". resource "google_bigquery_table_iam_binding" "table_iam_binding" { dataset_id = google_bigquery_table.default.dataset_id table_id = google_bigquery_table.default.table_id role = "roles/bigquery.dataOwner" members = [ "group:analysts@altostrat.com", ] }
Set role membership for a single principal
The following example shows how to use the
google_bigquery_table_iam_member
resource
to update the IAM policy for the
mytable
table to grant a role to one principal. Updating this
IAM policy does not affect access for any other principals
that have been granted that role for the dataset.
# This file adds a member to an IAM role for the table created by # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_table/main.tf. # You must place it in the same local directory as that main.tf file, # and you must have already applied that main.tf file to create # the "default" table resource with a table_id of "mytable". resource "google_bigquery_table_iam_member" "table_iam_member" { dataset_id = google_bigquery_table.default.dataset_id table_id = google_bigquery_table.default.table_id role = "roles/bigquery.dataEditor" member = "serviceAccount:bqcx-1234567891011-12a3@gcp-sa-bigquery-condel.iam.gserviceaccount.com" }
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
-
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
-
In Cloud Shell, create a directory and a new
file within that directory. The filename must have the
.tf
extension—for examplemain.tf
. In this tutorial, the file is referred to asmain.tf
.mkdir DIRECTORY && cd DIRECTORY && touch main.tf
-
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf
.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
-
Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgrade
option:terraform init -upgrade
Apply the changes
-
Review the configuration and verify that the resources that Terraform is going to create or
update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
-
Apply the Terraform configuration by running the following command and entering
yes
at the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
API
- To retrieve the current policy, call the
tables.getIamPolicy
method. Edit the policy to add members or bindings, or both. For the format required for the policy, see the Policy reference topic.
Call
tables.setIamPolicy
to write the updated policy. Note: Empty bindings with no members are not allowed and result in an error.
Java
Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Python
Before trying this sample, follow the Python setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Python API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Revoke access to a resource
The following sections describe how to revoke access to different resources.
Revoke access to a dataset
Select one of the following options:
Console
Go to the BigQuery page.
In the Explorer panel, expand your project and select a dataset.
In the details panel, click Sharing > Permissions.
In the Dataset Permissions dialog, expand the principal whose access you want to revoke.
Click
Remove principal.In the Remove role from principal? dialog, click Remove.
To return to dataset details, click Close.
SQL
To remove access to datasets from principals, use the
REVOKE
DCL statement:
In the Google Cloud console, go to the BigQuery page.
In the query editor, enter the following statement:
REVOKE `ROLE_LIST` ON SCHEMA RESOURCE_NAME FROM "USER_LIST"
Replace the following:
ROLE_LIST
: a role or list of comma-separated roles that you want to revokeRESOURCE_NAME
: the name of the resource that you want to revoke permission onUSER_LIST
: a comma-separated list of users who will have their roles revokedFor a list of valid formats, see
user_list
.
Click
Run.
For more information about how to run queries, see Run an interactive query.
The following example revokes the Admin role on the dataset
myDataset
:
REVOKE `roles/bigquery.admin`
ON SCHEMA `myProject`.myDataset
FROM "group:example-team@example-pet-store.com", "serviceAccount:user@test-project.iam.gserviceaccount.com"
bq
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To write the existing dataset information (including access controls) to a JSON file, use the
bq show
command:bq show \ --format=prettyjson \ PROJECT_ID:DATASET > PATH_TO_FILE
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of your dataset
- PATH_TO_FILE: the path to the JSON file on your local machine
Make changes to the
access
section of the JSON file. You can remove any of thespecialGroup
entries:projectOwners
,projectWriters
,projectReaders
, andallAuthenticatedUsers
. You can also remove any of the following:userByEmail
,groupByEmail
, anddomain
.For example, the
access
section of a dataset's JSON file would look like the following:{ "access": [ { "role": "READER", "specialGroup": "projectReaders" }, { "role": "WRITER", "specialGroup": "projectWriters" }, { "role": "OWNER", "specialGroup": "projectOwners" }, { "role": "READER", "specialGroup": "allAuthenticatedUsers" }, { "role": "READER", "domain": "domain_name" }, { "role": "WRITER", "userByEmail": "user_email" }, { "role": "READER", "groupByEmail": "group_email" } ], ... }
When your edits are complete, use the
bq update
command and include the JSON file using the--source
flag. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format:PROJECT_ID:DATASET
.bq update \ --source PATH_TO_FILE \ PROJECT_ID:DATASET
To verify your access control changes, use the
show
command again without writing the information to a file:bq show --format=prettyjson PROJECT_ID:DATASET
API
Call datasets.patch
and
use the access
property in the Dataset
resource to update your access controls.
Because the datasets.update
method replaces the entire dataset resource,
datasets.patch
is the preferred method for updating access controls.
Go
Before trying this sample, follow the Go setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Go API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Python
Before trying this sample, follow the Python setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Python API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Set thedataset.access_entries
property with the access controls for a dataset. Then call the
client.update_dataset()
function to update the property.
Revoke access to a table or view
Select one of the following options:
Console
Go to the BigQuery page.
In the Explorer panel, expand your project and select a table or view.
In the details panel, click Share.
In the Share dialog, expand the principal whose access you want to revoke.
Click
Delete.In the Remove role from principal? dialog, click Remove.
To return to the table or view details, click Close.
SQL
To remove access to tables or views from principals, use the
REVOKE
DCL statement:
In the Google Cloud console, go to the BigQuery page.
In the query editor, enter the following statement:
REVOKE `ROLE_LIST` ON RESOURCE_TYPE RESOURCE_NAME FROM "USER_LIST"
Replace the following:
ROLE_LIST
: a role or list of comma-separated roles that you want to revokeRESOURCE_TYPE
: the type of resource that the role is revoked fromSupported values include
TABLE
,VIEW
,MATERIALIZED VIEW
andEXTERNAL TABLE
.RESOURCE_NAME
: the name of the resource that you want to revoke permission onUSER_LIST
: a comma-separated list of users who will have their roles revokedFor a list of valid formats, see
user_list
.
Click
Run.
For more information about how to run queries, see Run an interactive query.
The following example revokes the Admin role on the table
myTable
:
REVOKE `roles/bigquery.admin`
ON TABLE `myProject`.myDataset.myTable
FROM "group:example-team@example-pet-store.com", "serviceAccount:user@test-project.iam.gserviceaccount.com"
bq
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To revoke access to a table or view, use the
bq remove-iam-policy-binding
command:bq remove-iam-policy-binding --member=MEMBER_TYPE:MEMBER --role=ROLE --table=true RESOURCE
Replace the following:
- MEMBER_TYPE: the type of member, such as
user
,group
,serviceAccount
, ordomain
. - MEMBER: the member's email address or domain name.
- ROLE: the role that you want to revoke from the member.
- RESOURCE: the name of the table or view whose policy you want to update.
- MEMBER_TYPE: the type of member, such as
API
- To retrieve the current policy, call the
tables.getIamPolicy
method. Edit the policy to remove members or bindings, or both. For the format required for the policy, see the Policy reference topic.
Call
tables.setIamPolicy
to write the updated policy. Note: Empty bindings with no members are not allowed and result in an error.
Java
Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Deny access to a resource
IAM deny policies let you set guardrails on access to BigQuery resources. You can define deny rules that prevent selected principals from using certain permissions, regardless of the roles they're granted.
For information about how to create, update, and delete deny policies, see Deny access to resources.
Special cases
Consider the following scenarios when you create IAM deny policies on a few BigQuery permissions:
Access to authorized resources (views, routines, datasets, or stored procedures) lets you create, drop, or manipulate a table, along with reading and modifying table data, even if you don't have direct permission to perform those operations. It can also get model data or metadata and invoke other stored procedures on the underlying table. This capability implies that the authorized resources have the following permissions:
bigquery.tables.get
bigquery.tables.list
bigquery.tables.getData
bigquery.tables.updateData
bigquery.tables.create
bigquery.tables.delete
bigquery.routines.get
bigquery.routines.list
bigquery.datasets.get
bigquery.models.getData
bigquery.models.getMetadata
To deny access to these authorized resources, add one of the following values to the
deniedPrincipal
field when you create the deny policy:Value Use case principalSet://goog/public:all
Blocks all principals including authorized resources. principalSet://bigquery.googleapis.com/projects/PROJECT_NUMBER/*
Blocks all BigQuery authorized resources in the specified project. PROJECT_NUMBER
is an automatically generated unique identifier for your project of typeINT64
.To exempt certain principals from the deny policy, specify those principals in the
exceptionPrincipals
field of your deny policy. For example,exceptionPrincipals: "principalSet://bigquery.googleapis.com/projects/1234/*"
.BigQuery caches query results of a job owner for 24 hours, which the job owner can access without needing the
bigquery.tables.getData
permission on the table containing the data. Hence, adding an IAM deny policy to thebigquery.tables.getData
permission doesn't block access to cached results for the job owner until the cache expires. To block the job owner access to cached results, create a separate deny policy on thebigquery.jobs.create
permission.To prevent unintended data access when using deny policies to block data read operations, we recommend that you also review and revoke any existing subscriptions on the dataset.
To create a IAM deny policy for viewing dataset access controls, deny the following permissions:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
To create a IAM deny policy for updating dataset access controls, deny the following permissions:
bigquery.datasets.update
bigquery.datasets.setIamPolicy