I'm trying to access the M-Lab tables from BigQuery but keep getting this message:
Error: Access Denied: Table measurement-lab:m_lab.2010_01: QUERY_TABLE
I can access the other sample tables just fine.
Any suggestions?
Access to the M-lab tables requires you to be on the M-lab project as at least a 'reader'. Do you know if you've been added? I will contact the M-lab folks at Google to see if they're willing to add all users to the acl, which means that anyone will be able to access.
Related
Original Post: Google BigQuery: Give user access to a Table
I'm attempting to give edit access to a user for a BQ table and a saved query. This user does not and will not be given access to any additional items in my BQ account.
I've tried using instructions found here to share the table with the user, but that user is not able to see the table populate in their BQ project folder.
I then tried sharing a link to the query, but I'm unable to give the user edit access this way.
Any and all help is appreciated.
Suppose I have 2 users available for the same project. The requirement is to restrict the table access in the same project to one user. How can it be managed it in Bigquery? what kind of access controls to be applied and how?
Thanks in advance.
You can use table level ACLS and set Bigquery roles/bigquery.dataViewer for users on the tables you wish to grant access. More details here https://cloud.google.com/bigquery/docs/table-access-controls-intro
This approach doesn't require creating a separate dataset(as a workaround for table level access) for access control which use to be the case earlier.
Depending on requirements, and the strictness of them, this is what I do:
Grant the user access to a specific table within a dataset by granting the BigQuery Data Viewer role at the table level.
You can do this as follows:
-> Open the table in the console and click Share, then click Add Principal
And to make it easier for the user to navigate the metadata of the table, such as schema, details and preview, I grant them the BigQuery Metadata Viewer role at the dataset level.
You should only do this of course if it is ok for the user to see which other tables within the dataset are there. (they can't see the data in the other tables, just the schema etc)
The advantage is that it will be easier for the user to see the schema and a preview of the data.
More info can be found here:
https://cloud.google.com/bigquery/docs/table-access-controls
What permissions does a service account needs to read from BigQuery __TABLE__ tables? Our scenario is that we want to grant the service account collecting storage stats from our BigQuery projects minimum necessary permissions. Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets. We tried granting metadataViewer permissions but that didn't work, still getting 403.
Ideally it shouldn't be able to read the data from BQ tables but still it needs to read the __TABLE__ tables from all our datasets.
Currently, you cannot grant permissions on tables, views, columns, or rows. A dataset is the lowest level resource that supports access controls in BigQuery.
-- source --
Therefore you will need to grant roles/bigquery.dataViewer to the service account.
You might also need to grant a second permission. Under the hood the code that executes with service account credentials will be making API calls. I don't know the details applicable to your case, but the code will likely use one of the basic REST objects (such as Job object) to make the calls. And will likely need another permission(s) that come under umbrella of roles/bigquery.jobUser or similar role.
The required permissions to query __TABLES__ are the same as to query any regular tables. Thus, the roles/bigquery.dataViewer role viewer at dataset level should be enough.
Since your requirement is to only grant access to this particular table's data, but not to the user generated tables, a possible workaround is to create an authorized view in a separate dataset. The view will have dataViewer access to your current dataset and the user will have dataViewer access to the dataset containing the view.
I am trying the new 'Transfers' function in google BigQuery.
I am using the option: 'Scheduled Query'
It works with a simple query, but when I am trying another query that is normally working based on a view, that is based on a join between two tables (on table based on a google sheet shared with me) none of the more complicated Transfers I created are working.
I get the following error message:
Failed to start job for table 'xxx' with error PERMISSION_DENIED: Access Denied: BigQuery BigQuery: No OAuth token with Google Drive scope was found.
Is it because one of the source tables is based on a google sheet?
I tried to copy the source table to another table, but when I do this BigQuery automatically deletes this table.
Any ideas?
The problem is with the view which queries Google Drive data. In order to resolve your problem you need to request Google Drive scopes. Quoting directly from documentation:
Accessing data hosted within Google Drive requires an additional OAuth
scope, both when defining the federated source as well as during query
execution.
In the documentation page linked above you'll also find ways to do this via command line, api and web UI.
I've been successfully using BigQuery to pull AdSense data, but recently all queries have started failing, with this error:
(403) Access Denied: Table
google.com:adsense-reports:Reports.DailyCustomChannelReport: The user
does not have permission to query a table in dataset
google.com:adsense-reports:Reports
Here's a sample query:
SELECT matched_ad_requests, clicks, FROM [google.com:adsense-reports:Reports.DailyCustomChannelReport] WHERE date BETWEEN '2015-02-10' AND '2015-02-11'AND custom_channel_code like 'test_18'
These query failures aren't associated with any code change to my application. They also fail in the BigQuery browser tool- even queries that ran successfully in the past. This seems to rule out a problem with the query.
Nothing has changed with regards to my account access to AdSense. I am able to log in to the dashboard and see all data.
Any ideas how I can restore my ability to query this data? Thanks.
I got internal confirmation: The AdSense experiment for BigQuery was discontinued. The team tells me they notified the experiment users some months ago, before disabling it.
Sorry for the lack of better news!