Control access to resources with IAM

This document describes how to view, grant, and revoke access controls for BigQuery datasets and for the resources within datasets: tables, views, and routines. Although models are also dataset-level resources, you cannot grant access to individual models using IAM roles.

You can grant access to Google Cloud resources by using allow policies , also known as Identity and Access Management (IAM) policies , which are attached to resources. You can attach only one allow policy to each resource. The allow policy controls access to the resource itself, as well as any descendants of that resource that inherit the allow policy .

For more information on allow policies, see Policy structure in the IAM documentation.

This document assumes familiarity with the Identity and Access Management (IAM) in Google Cloud.

Limitations

Routine access control lists (ACLs) aren't included in replicated routines .
Routines inside external or linked datasets don't support access controls.
Tables inside external or linked datasets don't support access controls.
Routine access controls can't be set with Terraform.
Routine access controls can't be set with the Google Cloud SDK.
Routine access controls can't be set using the BigQuery data control language (DCL) .
Data Catalog doesn't support routine access controls. If a user has conditionally granted routine-level access, they won't see their routines in the BigQuery side panel. As a workaround, grant dataset-level access instead.
The INFORMATION_SCHEMA.OBJECT_PRIVILEGES view doesn't show access controls for routines.

Before you begin

Grant Identity and Access Management (IAM) roles that give users the necessary permissions to perform each task in this document.

Required roles

To get the permissions that you need to modify IAM policies for resources, ask your administrator to grant you the BigQuery Data Owner ( roles/bigquery.dataOwner ) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations .

This predefined role contains the permissions required to modify IAM policies for resources. To see the exact permissions that are required, expand the Required permissionssection:

Required permissions

The following permissions are required to modify IAM policies for resources:

To get a dataset's access policy: bigquery.datasets.get
To set a dataset's access policy: bigquery.datasets.update
To get a dataset's access policy (Google Cloud console only): bigquery.datasets.getIamPolicy
To set a dataset's access policy (console only): bigquery.datasets.setIamPolicy
To get a table or view's policy: bigquery.tables.getIamPolicy
To set a table or view's policy: bigquery.tables.setIamPolicy
To get a routine's access policy: bigquery.routines.getIamPolicy
To set a routine's access policy: bigquery.routines.setIamPolicy
To create bq tool or SQL BigQuery jobs (optional): bigquery.jobs.create

You might also be able to get these permissions with custom roles or other predefined roles .

Work with dataset access controls

You can provide access to a dataset by granting an IAM principal a predefined or custom role that determines what the principal can do with the dataset. This is also known as attaching an allow policy to a resource. After granting access, you can view the dataset's access controls, and you can revoke access to the dataset.

Grant access to a dataset

You can't grant access to a dataset when you create it using the BigQuery web UI or the bq command-line tool. You must create the dataset first and then grant access to it. The API lets you grant access during dataset creation by calling the datasets.insert method with a defined dataset resource .

A project is the parent resource for a dataset, and a dataset is the parent resource for tables and views, routines, and models. When you grant a role at the project level, the role and its permissions are inherited by the dataset and by the dataset's resources. Similarly, when you grant a role at the dataset level, the role and its permissions are inherited by the resources within the dataset.

You can provide access to a dataset by granting an IAM role permission to access the dataset or by conditionally granting access using an IAM condition. For more information on granting conditional access, see Control access with IAM Conditions .

To grant an IAM role access to a dataset without using conditions, select one of the following options:

Console

Go to the BigQuerypage.

Go to BigQuery
In the left pane, click Explorer:

If you don't see the left pane, click Expand left paneto open the pane.
In the Explorerpane, expand your project, click Datasets, and then select a dataset.
Click Sharing > Permissions.
Click Add principal.
In the New principalsfield, enter a principal.
In the Select a rolelist, select a predefined role or a custom role.
Click Save.
To return to the dataset info, click Close.

SQL

To grant principals access to datasets, use the GRANT DCL statement :

In the Google Cloud console, go to the BigQuerypage.

Go to BigQuery
In the query editor, enter the following statement:
```
 GRANT 
  
 ` ROLE_LIST 
` 
 ON 
  
 SCHEMA 
  
  RESOURCE_NAME 
 
 TO 
  
 " USER_LIST 
" 
```
Replace the following:
- ROLE_LIST : a role or list of comma-separated roles that you want to grant
- RESOURCE_NAME : the name of the dataset that you're granting access to
- USER_LIST : a comma-separated list of users that the role is granted to
  
  For a list of valid formats, see user_list .
Click Run.

For more information about how to run queries, see Run an interactive query .

The following example grants the BigQuery Data Viewer role to myDataset :

  GRANT 
  
 `roles/bigquery.dataViewer` 
 ON 
  
 SCHEMA 
  
 `myProject` 
 . 
 myDataset 
 TO 
  
 "user:user@example.com" 
 , 
  
 "user:user2@example.com"

bq

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To write the existing dataset information (including access controls) to a JSON file, use the bq show command :
```
bq  
show  
 \ 
  
--format = 
prettyjson  
 \ 
  
 PROJECT_ID 
: DATASET 
  
>  
 PATH_TO_FILE 
```
Replace the following:
- PROJECT_ID : your project ID
- DATASET : the name of your dataset
- PATH_TO_FILE : the path to the JSON file on your local machine

Make changes to the access section of the JSON file. You can add to any of the specialGroup entries: projectOwners , projectWriters , projectReaders , and allAuthenticatedUsers . You can also add any of the following: userByEmail , groupByEmail , and domain .

For example, the access section of a dataset's JSON file would look like the following:

 { 
  
 "access" 
 : 
  
 [ 
  
 { 
  
 "role" 
 : 
  
 "READER" 
 , 
  
 "specialGroup" 
 : 
  
 "projectReaders" 
  
 }, 
  
 { 
  
 "role" 
 : 
  
 "WRITER" 
 , 
  
 "specialGroup" 
 : 
  
 "projectWriters" 
  
 }, 
  
 { 
  
 "role" 
 : 
  
 "OWNER" 
 , 
  
 "specialGroup" 
 : 
  
 "projectOwners" 
  
 }, 
  
 { 
  
 "role" 
 : 
  
 "READER" 
 , 
  
 "specialGroup" 
 : 
  
 "allAuthenticatedUsers" 
  
 }, 
  
 { 
  
 "role" 
 : 
  
 "READER" 
 , 
  
 "domain" 
 : 
  
 " domain_name 
" 
  
 }, 
  
 { 
  
 "role" 
 : 
  
 "WRITER" 
 , 
  
 "userByEmail" 
 : 
  
 " user_email 
" 
  
 }, 
  
 { 
  
 "role" 
 : 
  
 "READER" 
 , 
  
 "groupByEmail" 
 : 
  
 " group_email 
" 
  
 } 
  
 ], 
  
 ... 
 }

When your edits are complete, use the bq update command and include the JSON file using the --source flag. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format: PROJECT_ID : DATASET .

Caution: When you apply the JSON file that contains the access controls, the existing access controls are overwritten.
```
  
bq  
update  

  
--source  
 PATH_TO_FILE 
  

  
 PROJECT_ID 
: DATASET 
  
```
To verify your access control changes, use the bq show command again without writing the information to a file:
```
bq  
show  
--format = 
prettyjson  
 PROJECT_ID 
: DATASET 
```

Terraform

Use the google_bigquery_dataset_iam resources to update access to a dataset.

Set the access policy for a dataset

The following example shows how to use the google_bigquery_dataset_iam_policy resource to set the IAM policy for the mydataset dataset. This replaces any existing policy already attached to the dataset:

 # This file sets the IAM policy for the dataset created by 
 # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_dataset/main.tf. 
 # You must place it in the same local directory as that main.tf file, 
 # and you must have already applied that main.tf file to create 
 # the "default" dataset resource with a dataset_id of "mydataset". 
data  
 "google_iam_policy" 
  
 "iam_policy" 
  
 { 
  
binding  
 { 
  
 role 
  
 = 
  
 "roles/bigquery.admin" 
  
 members 
  
 = 
  
 [ 
  
 "user:user@example.com" 
,  
 ] 
  
 } 
  
binding  
 { 
  
 role 
  
 = 
  
 "roles/bigquery.dataOwner" 
  
 members 
  
 = 
  
 [ 
  
 "group:data.admin@example.com" 
,  
 ] 
  
 } 
  
binding  
 { 
  
 role 
  
 = 
  
 "roles/bigquery.dataEditor" 
  
 members 
  
 = 
  
 [ 
  
 "serviceAccount:bqcx-1234567891011-12a3@gcp-sa-bigquery-condel.iam.gserviceaccount.com" 
,  
 ] 
  
 } 
 } 
resource  
 "google_bigquery_dataset_iam_policy" 
  
 "dataset_iam_policy" 
  
 { 
  
 dataset_id 
  
 = 
  
google_bigquery_dataset.default.dataset_id  
 policy_data 
  
 = 
  
data.google_iam_policy.iam_policy.policy_data }

Set role membership for a dataset

The following example shows how to use the google_bigquery_dataset_iam_binding resource to set membership in a given role for the mydataset dataset. This replaces any existing membership in that role. Other roles within the IAM policy for the dataset are preserved:

 # This file sets membership in an IAM role for the dataset created by 
 # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_dataset/main.tf. 
 # You must place it in the same local directory as that main.tf file, 
 # and you must have already applied that main.tf file to create 
 # the "default" dataset resource with a dataset_id of "mydataset". 
resource  
 "google_bigquery_dataset_iam_binding" 
  
 "dataset_iam_binding" 
  
 { 
  
 dataset_id 
  
 = 
  
google_bigquery_dataset.default.dataset_id  
 role 
  
 = 
  
 "roles/bigquery.jobUser" 
  
 members 
  
 = 
  
 [ 
  
 "user:user@example.com" 
,  
 "group:group@example.com" 
  
 ] 
 }

Set role membership for a single principal

The following example shows how to use the google_bigquery_dataset_iam_member resource to update the IAM policy for the mydataset dataset to grant a role to one principal. Updating this IAM policy does not affect access for any other principals that have been granted that role for the dataset.

 # This file adds a member to an IAM role for the dataset created by 
 # https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/bigquery/bigquery_create_dataset/main.tf. 
 # You must place it in the same local directory as that main.tf file, 
 # and you must have already applied that main.tf file to create 
 # the "default" dataset resource with a dataset_id of "mydataset". 
resource  
 "google_bigquery_dataset_iam_member" 
  
 "dataset_iam_member" 
  
 { 
  
 dataset_id 
  
 = 
  
google_bigquery_dataset.default.dataset_id  
 role 
  
 = 
  
 "roles/bigquery.user" 
  
 member 
  
 = 
  
 "user:user@example.com" 
 }

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

Launch Cloud Shell .
Set the default Google Cloud project where you want to apply your Terraform configurations.

You only need to run this command once per project, and you can run it in any directory.
```
export GOOGLE_CLOUD_PROJECT= PROJECT_ID 
```
Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (also called a root module ).

In Cloud Shell , create a directory and a new file within that directory. The filename must have the .tf extension—for example main.tf . In this tutorial, the file is referred to as main.tf .
```
mkdir DIRECTORY 
&& cd DIRECTORY 
&& touch main.tf
```
If you are following a tutorial, you can copy the sample code in each section or step.

Copy the sample code into the newly created main.tf .

Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
```
terraform init
```
Optionally, to use the latest Google provider version, include the -upgrade option:
```
terraform init -upgrade
```

Apply the changes

Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
```
terraform plan
```
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and entering yes at the prompt:
```
terraform apply
```
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

API

To apply access controls when the dataset is created, call the datasets.insert method with a defined dataset resource . To update your access controls, call the datasets.patch method and use the access property in the Dataset resource.

Because the datasets.update method replaces the entire dataset resource, datasets.patch is the preferred method for updating access controls.

Go

Before trying this sample, follow the Go setup instructions in the BigQuery quickstart using client libraries . For more information, see the BigQuery Go API reference documentation .

To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

Set the new access list by appending the new entry to the existing list with DatasetMetadataToUpdate type . Then call the dataset.Update() function to update the property.

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "cloud.google.com/go/bigquery" 
 ) 
 // grantAccessToDataset creates a new ACL conceding the READER role to the group "example-analyst-group@google.com" 
 // For more information on the types of ACLs available see: 
 // https://cloud.google.com/storage/docs/access-control/lists 
 func 
  
 grantAccessToDataset 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 datasetID 
  
 string 
 ) 
  
 error 
  
 { 
  
 // TODO(developer): uncomment and update the following lines: 
  
 // projectID := "my-project-id" 
  
 // datasetID := "mydataset" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 // Create BigQuery handler. 
  
 client 
 , 
  
 err 
  
 := 
  
 bigquery 
 . 
 NewClient 
 ( 
 ctx 
 , 
  
 projectID 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "bigquery.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 // Create dataset handler 
  
 dataset 
  
 := 
  
 client 
 . 
 Dataset 
 ( 
 datasetID 
 ) 
  
 // Get metadata 
  
 meta 
 , 
  
 err 
  
 := 
  
 dataset 
 . 
 Metadata 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "bigquery.Dataset.Metadata: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 // Find more details about BigQuery Entity Types here: 
  
 // https://pkg.go.dev/cloud.google.com/go/bigquery#EntityType 
  
 // 
  
 // Find more details about BigQuery Access Roles here: 
  
 // https://pkg.go.dev/cloud.google.com/go/bigquery#AccessRole 
  
 entityType 
  
 := 
  
 bigquery 
 . 
  GroupEmailEntity 
 
  
 entityID 
  
 := 
  
 "example-analyst-group@google.com" 
  
 roleType 
  
 := 
  
 bigquery 
 . 
  ReaderRole 
 
  
 // Append a new access control entry to the existing access list. 
  
 update 
  
 := 
  
 bigquery 
 . 
  DatasetMetadataToUpdate 
 
 { 
  
 Access 
 : 
  
 append 
 ( 
 meta 
 . 
 Access 
 , 
  
& bigquery 
 . 
  AccessEntry 
 
 { 
  
 Role 
 : 
  
 roleType 
 , 
  
 EntityType 
 : 
  
 entityType 
 , 
  
 Entity 
 : 
  
 entityID 
 , 
  
 }), 
  
 } 
  
 // Leverage the ETag for the update to assert there's been no modifications to the 
  
 // dataset since the metadata was originally read. 
  
 meta 
 , 
  
 err 
  
 = 
  
 dataset 
 . 
 Update 
 ( 
 ctx 
 , 
  
 update 
 , 
  
 meta 
 . 
 ETag 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 err 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Details for Access entries in dataset %v.\n" 
 , 
  
 datasetID 
 ) 
  
 for 
  
 _ 
 , 
  
 access 
  
 := 
  
 range 
  
 meta 
 . 
 Access 
  
 { 
  
 fmt 
 . 
 Fprintln 
 ( 
 w 
 ) 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Role: %s\n" 
 , 
  
 access 
 . 
 Role 
 ) 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Entities: %v\n" 
 , 
  
 access 
 . 
 Entity 
 ) 
  
 } 
  
 return 
  
 nil 
 }

Permission	Resource	Action
`bigquery.datasets.create`	Project	Create new datasets in the project.
`bigquery.datasets.get`	Dataset	Get metadata and access controls for the dataset. Viewing permissions in the console also requires the `bigquery.datasets.getIamPolicy` permission.
`bigquery.datasets.getIamPolicy`	Dataset	Required by the console to grant the user permission to get a dataset's access controls. Fails open. The console also requires the `bigquery.datasets.get` permission to view the dataset.
`bigquery.datasets.update`	Dataset	Update metadata and access controls for the dataset. Updating access controls in the console also requires the `bigquery.datasets.setIamPolicy` permission.
`bigquery.datasets.setIamPolicy`	Dataset	Required by the console to grant the user permission to set a dataset's access controls. Fails open. The console also requires the `bigquery.datasets.update` permission to update the dataset.
`bigquery.datasets.delete`	Dataset	Delete a dataset.
`bigquery.datasets.createTagBinding`	Dataset	Attach tags to the dataset.
`bigquery.datasets.deleteTagBinding`	Dataset	Detach tags from the dataset.
`bigquery.datasets.listTagBindings`	Dataset	List tags for the dataset.
`bigquery.datasets.listEffectiveTags`	Dataset	List effective tags (applied and inherited) for the dataset.
`bigquery.datasets.link`	Dataset	Create a linked dataset .
`bigquery.datasets.listSharedDatasetUsage`	Project	List shared dataset usage statistics for datasets that you have access to in the project. This permission is required to query the `INFORMATION_SCHEMA.SHARED_DATASET_USAGE` view.

Permission	Resource	Action
`bigquery.tables.create`	Dataset	Create new tables in the dataset.
`bigquery.tables.createIndex`	Table	Create a search index on the table.
`bigquery.tables.deleteIndex`	Table	Delete a search index on the table.
`bigquery.tables.createSnapshot`	Table	Create a snapshot of the table. Creating a snapshot requires several additional permissions at the table and dataset level. For details, see Permissions and roles for creating table snapshots.
`bigquery.tables.deleteSnapshot`	Table	Delete a snapshot of the table.
`bigquery.tables.delete`	Table	Delete a table.
`bigquery.tables.createTagBinding`	Table	Create resource tag bindings on a table.
`bigquery.tables.deleteTagBinding`	Table	Delete resource tag bindings on a table.
`bigquery.tables.listTagBindings`	Table	List resource tag bindings on a table.
`bigquery.tables.listEffectiveTags`	Table	List effective tags (applied and inherited) for the table.
`bigquery.tables.export`	Table	Export the table's data. Running an extract job also requires `bigquery.jobs.create` permissions.
`bigquery.tables.get`	Table	Get metadata for a table.
`bigquery.tables.getData`	Table	Query the table's data. Running a query job also requires `bigquery.jobs.create` permissions.
`bigquery.tables.getIamPolicy`	Table	Get access controls for the table.
`bigquery.tables.list`	Dataset	List all tables and table metadata in the dataset.
`bigquery.tables.replicateData`	Table	Replicate table data. This permission is required for creating replica materialized views.
`bigquery.tables.restoreSnapshot`	Table	Restore a table snapshot.
`bigquery.tables.setCategory`	Table	Set policy tags in the table's schema.
`bigquery.tables.setColumnDataPolicy`	Table	Set column-level access policies on a table.
`bigquery.tables.setIamPolicy`	Table	Set access controls on a table.
`bigquery.tables.update`	Table	Update table. `metadata. bigquery.tables.get` is also required to update table metadata in the console.
`bigquery.tables.updateData`	Table	Update table data.
`bigquery.tables.updateIndex`	Table	Update a search index on the table.

Permission	Resource	Description
`bigquery.routines.create`	Dataset	Create a routine in the dataset. This permission also requires `bigquery.jobs.create` to run a query job that contains a `CREATE FUNCTION` statement.
`bigquery.routines.delete`	Routine	Delete a routine.
`bigquery.routines.get`	Routine	Reference a routine created by someone else. This permission also requires `bigquery.jobs.create` to run a query job that references the routine, and you also need permission to access any resources that the routine references, such as tables or views.
`bigquery.routines.list`	Dataset	List routines in the dataset and show metadata for routines.
`bigquery.routines.update`	Routine	Update routine definitions and metadata.
`bigquery.routines.getIamPolicy`	Routine	Get access controls for the routine.
`bigquery.routines.setIamPolicy`	Routine	Set access controls for the routine.

Value	Use case
`principalSet://goog/public:all`	Blocks all principals including authorized resources.
`principalSet://bigquery.googleapis.com/projects/ PROJECT_NUMBER /*`	Blocks all BigQuery authorized resources in the specified project. `PROJECT_NUMBER` is an automatically generated unique identifier for your project of type `INT64` .

Control access to resources with IAM

Limitations

Before you begin

Required roles

Required permissions

Work with dataset access controls

Grant access to a dataset

Console

SQL

bq

Terraform

Prepare Cloud Shell

Prepare the directory

Apply the changes

API

Go

Java

Node.js

Python

Predefined roles that grant access to datasets

Dataset permissions

View access controls for a dataset

Console

bq

SQL

API

Go

Java

Node.js

Python

Revoke access to a dataset

Console

SQL

bq

API

Go

Java

Node.js

Python

Work with table and view access controls

Grant access to a table or view

Console

SQL

bq

Terraform

Prepare Cloud Shell

Prepare the directory

Apply the changes

API

Go

Java

Node.js

Python

Predefined roles that grant access to tables and views

Permissions for tables and views

View access controls for a table or view

Console

bq

SQL

API

Go

Java

Node.js

Revoke access to a table or view

Console

SQL

bq

API

Go

Java

Node.js

Work with access controls for routines

Grant access to a routine

Console

bq

API

Predefined roles that grant access to routines

Permissions for routines

View the access controls for a routine

Console