0

I've found instructions how to generate credentials for the project level but there aren't clear instructions on adding a service account to only a specific dataset using the cli.

I tried creating the service account:

gcloud iam service-accounts create NAME

and then getting the dataset:

bq show \
--format=prettyjson \
project_id:dataset > path_to_file

and then adding a role to the access section

    {
      "role": "OWNER",
      "userByEmail": "[email protected]"
    },

and then updating it. It seemed to work because I was able to create a table but then I got an access denied error User does not have bigquery.jobs.create permission in project when I tried loading data into the table.

When I inspected the project in the cloud console, it seemed as if my service account was added to the project rather then the dataset, which is not what I want but also does not explain why I don't have the correct permissions. In addition to owner permissions I tried assigning editor permission and admin, neither of which solved the issue.

Improve this question

1 Answer 1

Reset to default
1

It is not possible for a service account to only have permissions on a dataset level and then run a query. When a query is invoked, it will create a job. To create a job, the service account to be used should have permission bigquery.jobs.create added at a project level. See document for required permissions to run a job.

With this in mind, it is required to add bigquery.jobs.create at project level so you can run queries on the shared dataset.

NOTE: You can use any of the following pre-defined roles as they all have bigquery.jobs.create.

  • roles/bigquery.user
  • roles/bigquery.jobUser
  • roles/bigquery.admin

With my example I used roles/bigquery.user. See steps below:

  1. Create a new service account ([email protected])
  2. Get the permissions on my dataset using bq show --format=prettyjson my-project:mydataset > info.json
  3. Add OWNER permission to service account in info.json
{
  "role": "OWNER",
  "userByEmail": "[email protected]"
},
  1. Updated the permissions using bq update --source info.json my-project:mydataset
  2. Check BigQuery > mydataset > "SHARE DATASET" to see if the service account was added.

enter image description here

  1. Add role roles/bigquery.user to service account using gcloud projects add-iam-policy-binding myproject --member=serviceAccount:[email protected] --role=roles/bigquery.jobUser
Improve this answer
2
  • 1
    In this scenario you are adding it to both the dataset and the project. What's the point of adding it to the dataset as well, won't it be inherited from the project where you add it in step 6? Or will this somehow prevent them from editing other datasets? We'd like seperate credentials for each data set so their isnt any accidental crossovers, that's why I've been trying to add only dataset level permissions.
    – NGB
    Commented Oct 5, 2021 at 6:46
  • 1
    The set role won't be inherited at a dataset level since bigquery.jobUser can be granted at the project level only. Also bigquery.jobUser only allows the SA to create jobs, but not to access any dataset. So in this example "bq-test-sa" can only access "mydataset" since the SA was granted permission at dataset level. But if you use "bq-test-sa" to access another dataset, it will show a permission error.
    – Ricco D
    Commented Oct 5, 2021 at 7:12

Not the answer you're looking for? Browse other questions tagged or ask your own question.