I created a project and a dataset in Bigquery. I can share the dataset with other developers but I cannot share the project. I get a 404 error when I click the "Team" link on the left pane. Is there a work around to share the project?
Dataset sharing in BQ is a little unintuitive - the actual sharing is pretty simple but the UX for the person you are sharing with is a little vague.
If you want to share:
Select the dataset
Select Share Dataset
Choose an email, google group, etc.
For data access only (w/o ability to run jobs on your project - so you're not billed for queries they make) choose the BigQuery Data Viewer role.
All this explained here: https://cloud.google.com/bigquery/docs/dataset-access-controls
Once this is done, the user you shared with will be able to run queries on the dataset BUT will not be able to view your project and dataset listed under their data resources on left hand side of BQ console.
This is because you've provided them IAM access to the dataset and not the project (which is the correct way to do it).
If they want to see the project/dataset listed they need to pin the shared project/project to their project in BQ console:
They should enter the BQ URL for the sharing project: https://console.cloud.google.com/bigquery?project=[SHARING_PROJECT_NAME]
Select the project on the data resource browser on the left and select PIN PROJECT
Go back to their original project on BQ console and will now see the shared project listed there as well.
You can share the dataset with a service account which is in any project.
I think you can do the same with regular user accounts without adding to the project.
https://cloud.google.com/dataprep/docs/concepts/cross-bq-datasets
From BigQuery webconsole "share dataset" option:
You can share with these type of accounts
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
Google Apps domain: example.com
anybody: enter "allUsers" to grant access to the general public
all Google Accounts: enter "allAuthenticatedUsers" to grant access to any user signed in to a G[![enter image description here][1]][1]oogle Account (warning: shares publicly with users outside of your organization)
Related
I am wanting to disable the "Share dataset" feature of bigquery.
For my use case I would like to disable this feature as you can't control what data can be shared and and who with. This means datasets are shareable with anyone who has gmail account.
I've been experimenting with removing various IAM permissions and I can't seem to pin it down. I've also used chrome dev tools to see what the API call is but I can't trace it back to how I can prevent the sharing of datasets.
If this cannot be disabled can you at least lock it down to a specific domain?
Try the following steps to restrict the share option.
Add the user to the IAM and don't assign any role.
Share the dataset with the user with Can view role
Now the user can still see the Share dataset option, but if they try to share they will get the following error
As per BigQuery permissions and roles matrix only Admin, Data owner(BigQuery role), and the Owner of a dataset can share it. Make sure to give the least privilege needed to your users.
For example, give the respective user the bigquery.jobUser permission and share him the dataset with "can edit" permission. This setup will not allow the dataset to be shared.
I have a user with permissions across many projects (see image below).
I have a new user who just joined the company. I want to give him the exact same permissions. How can I do this? I don't want to do it manually because that will take me ages and the Google Cloud Documentation is useless! I cant find much on using gcloud command line to do this with examples.
There must be a easy way to duplicate permission?
Thanks
It is indeed possible to grant a role to a member for more than one project:
Open the IAM & Admin Projects page in the GCP Console.
Select all the projects for which you want to grant permissions.
Click the Show Info Panel, followed by the Permissions tab.
Enter an email address in the Add members field, and select the desired role from the drop-down menu.
Click the Add button. The member will be granted the selected role in each of the selected projects.
Granting access rights to project is an action fraught with security risks, so bulk gcloud commands or simple copying of roles are understandably not supported.
You can find more detail on the "Granting, Changing, and Revoking Access to Resources" documentation page.
Is there a way to create a service account in the context of Google's cloud services that can only access BigQuery and not any other service (GCE, App Engine, &c)? Or is it necessary to create a new "project" and put the account in that project?
There are two ways to scope access:
ACLs and group membership allow control over what the service account has access to.
OAuth credentials can be scoped to individual services / apis.
Either option could work for you, depending on what your ultimate goal is.
How to use ACLs to limit access to only BigQuery
A service account is an identity, just like an email address is an identity.
Identity access is controlled through ACLs, either on the project or on the individual datasets you want to manage. BigQuery's access control is described here: https://cloud.google.com/bigquery/access-control. Other services and apis offer their own ACL controls. Together, these options give you fine grained control over access.
For example, if you put the service account in the project owners ACL, then that service account will have access to everything a project owner would have: BigQuery, Google Storage, etc.
Alternatively, if you put that service account only on a single BigQuery Dataset, then it would only have access to that dataset. (If you also want that service account to be able to run BigQuery jobs, then it would need to be a member of some project since jobs run in the context of a project. If you have a requirement that the project you run BigQuery jobs in cannot be the same project that you store Google Storage data in, then you will need multiple projects.)
How to use OAuth Scopes to limit access to only BigQuery
When you create the OAuth credentials for your service account, you can specify the Scopes that the credentials are valid for. Each api documents the scopes required in order to call the api. BigQuery's scopes are documented here: https://cloud.google.com/bigquery/authorization.
For example, if you only provide BigQuery scopes, then your code will only be able to make BigQuery api calls. Attempting to call a Google Storage API with credentials bound to BigQuery won't work.
I am creating an app in ai2 that connects to one of my fusion tables as a high score datastore.
If I use traditional Oauth2 flow then each user would be presented with an oauth login for their fusiontable, which is not what I want.
I have set up a
Client ID for Android application
in the google developer console which gave me
Client ID xxxxxxxxx.apps.googleusercontent.com
Redirect URIs
urn:xxx:xxx:xxx
http://localhost
Package name appinventor.ai_xxxxxxxx.xxxxxxxx
Certificate fingerprint (SHA1) 12:34:56 etc
Deep linking Disabled
What I want is for my app to connect to my fusiontable using my credentials regardless of which device or which user. How do I do that?
Thanks
This document is a very simple and straight-forward guide to creating a fusion table for your app.
https://docs.google.com/document/d/1HifuZqz5xu0KPS-e4oUv-t-nQoUQ8VMNyh_y6OjZkc0/pub
Steps:
First, you have to create a project at console.developers.google.com.
Then go to the API manager in the menu. Search for and enable the fusion tables API.
Now create a service account key. You may have to look in the credentials menu for this setting. Choose "enable Google apps-wide delegation". A service account is a localized email address that your app can use when you share the fusion table with that account. It provides more security than the anyone with the link can edit setting.
Now go to New Credentials > Service account key. Select P12, and the file will automatically download. If the name of the file has spaces, remove them.
Next, create a google fusion table.
Now share the table with the service email you created. Set the permission to Can Edit. Uncheck the notify box and hit Share.
Now, go to App Inventor. You need:
Your Service Account Email address (also called service account ID)
Service Account key file (.p12)
Fusion Table ID code (don't worry about this yet)
First, upload the key file.
In the fusion tables component property menu, set the KeyFile property to the key file. Copy the email address you created earlier and paste it in the ServiceAccountEmail property. Check the Use Service Authentication box.
Last thing: In the fusion table, go to File > About This Table. Copy the table Id. When you do operations with the table, you will need this id. You can store it in a variable if you want.
This property means that you can share and use multiple different tables with the same service account. Just share the other table(s) you will use with the service account and use that table's id when you do operations with that table.
After having a couple of issues getting DQS installed, it appears to be installed, and I can now run the client up; however, after I've chosen to connect to '(LOCAL)', which brings back the dashboard for it, but it is unclear how to create a new knowledgebase or create a new data quality project as the options remain grayed out?
Do I need to do "something else" before I can start playing?
To enable all the options in the Data Quality Client home screen, ensure that the user account with which you logged on to the Data Quality Client is assigned one of the three dqs roles (dqs_administrator, dqs_kb_editor, and dqs_kb_operator) on the DQS_MAIN database. For information about granting DQS roles to a user, see Grant DQS Roles to User.
You will start by creating a new Knowledge Base (or importing one). I have made a series of short screencasts on how to use DQS on YouTube.