How can I grant individual permissions in Google Cloud Platform for BigQuery users

Question

I need to setup very fine-grained access control for service accounts in GCP. I am seeing this error:

"user SERVICE_ACCOUNT does not have bigquery.jobs.create permission in project PROJECT_ID".

I know that via UI/gcloud util I can give it role roles/bigquery. user, but it has a lot of other permissions I don't want this service account to have.

How can I grant individual permissions via gcloud/UI or some other means?

Answer 1

You can use Custom Roles, visible in the IAM section:

Create a role with the specific mix of permissions you need. Then it will appear in 'Custom' on the IAM role assignment page and will be available via the API.

For your specific use case, try the following in your custom role:

• bigquery.jobs.create
• bigquery.jobs.get
• bigquery.tables.create
• bigquery.tables.update

Answer 2

You can configure IAM directly in the Google Cloud Console:

https://console.cloud.google.com/iam-admin/iam/

Service accounts are designed to be used for server side applications e.g. VMs, AppEngine etc. In other words:

[It's] an account that belongs to your application instead of to an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved.

https://developers.google.com/identity/protocols/OAuth2ServiceAccount

The service account can have different BigQuery IAM roles assigned to it via the console, like so:

You add also add individual users (emails backed by a Google account) to IAM using the console, and then select which permissions they individually should have in BigQuery, like so:

BigQuery permissions & roles are defined here.