BigQuery Service Account can query public datasets under my account

Question

I'm trying to create a GCP service account that is allowed to query only a specific dataset. I'm very close to having the configuration correct, but even a service account with just the "BigQuery Job User" role can run queries against the BigQuery public datasets, incurring usage on my project. I do not want to allow this.

My goal is to provide key customers with access to their analytical data only, without allowing them to run queries against the public datasets and rack up usage under my project.

Edit: I've rearranged some permissions and removed all project-level roles. Now my service account only has two dataset roles:

• BigQuery Data Viewer
• BigQuery Metadata Viewer

They can run jobs against my dataset, but they still can also run jobs against the public BigQuery dataset.

Answer 1

According to this google cloud documentation:

When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to access all of a project's BigQuery resources. You can assign roles at the dataset level to provide access to a specific dataset, without providing complete access to the project's resources.

Based on my understanding, for your requirement you can consider dataset sharing in the bigQuery. You can follow the below steps to share a dataset.

Step1: Go to the BigQuery page.

Step2: In the Explorer panel, expand your project and select a dataset.

Step3: Click Share -> Permissions.

Step4: Click Add principal.

Step5: In the New principals field, enter a principal.

Step6: For data access only,choose the BigQuery Data Viewer role.

Step7: Click Save.

For more information and workaround refer to these link1,link2 and link3.