Reputation: 1679
Service account -- limiting access to only big query
Is there a way to create a service account in the context of Google's cloud services that can only access BigQuery and not any other service (GCE, App Engine, &c)? Or is it necessary to create a new "project" and put the account in that project?
Upvotes: 2
Views: 857
Answers (1)
Reputation: 2057
There are two ways to scope access:
- ACLs and group membership allow control over what the service account has access to.
- OAuth credentials can be scoped to individual services / apis.
Either option could work for you, depending on what your ultimate goal is.
How to use ACLs to limit access to only BigQuery
A service account is an identity, just like an email address is an identity.
Identity access is controlled through ACLs, either on the project or on the individual datasets you want to manage. BigQuery's access control is described here: https://cloud.google.com/bigquery/access-control. Other services and apis offer their own ACL controls. Together, these options give you fine grained control over access.
For example, if you put the service account in the project owners ACL, then that service account will have access to everything a project owner would have: BigQuery, Google Storage, etc.
Alternatively, if you put that service account only on a single BigQuery Dataset, then it would only have access to that dataset. (If you also want that service account to be able to run BigQuery jobs, then it would need to be a member of some project since jobs run in the context of a project. If you have a requirement that the project you run BigQuery jobs in cannot be the same project that you store Google Storage data in, then you will need multiple projects.)
How to use OAuth Scopes to limit access to only BigQuery
When you create the OAuth credentials for your service account, you can specify the Scopes that the credentials are valid for. Each api documents the scopes required in order to call the api. BigQuery's scopes are documented here: https://cloud.google.com/bigquery/authorization.
For example, if you only provide BigQuery scopes, then your code will only be able to make BigQuery api calls. Attempting to call a Google Storage API with credentials bound to BigQuery won't work.
Upvotes: 3
Related Questions
- Bigquery service account restricted to a dataset
- Setting quota limit for a service account on Big Query
- How do I configure Google BigQuery command line tool to use a Service Account?
- Limit google account to use ONLY big query
- Is it possible to limit a Google service account to specific BigQuery datasets within a project?
- Is it possible to restrict a service account to a specific Big Query dataset?
- How to track BigQuery usage by user/service account
- How to restrict accessing resource from a service account in GCP
- Restricting Google Service Account's permission?
- Bigquery: manage service accounts