BigQuery permissions

To perform actions in BigQuery, Protect uses a GCP connection. This GCP connection must be configured with a service account that has the following permissions.

• bigquery.dataPolicies.create
• bigquery.dataPolicies.delete
• bigquery.dataPolicies.get
• bigquery.dataPolicies.getIamPolicy
• bigquery.dataPolicies.list
• bigquery.dataPolicies.setIamPolicy
• bigquery.dataPolicies.update
• bigquery.datasets.get
• bigquery.datasets.getIamPolicy
• bigquery.jobs.create
• bigquery.rowAccessPolicies.create
• bigquery.rowAccessPolicies.delete
• bigquery.rowAccessPolicies.list
• bigquery.rowAccessPolicies.setIamPolicy
• bigquery.rowAccessPolicies.update
• bigquery.tables.get
• bigquery.tables.getData
• bigquery.tables.list
• bigquery.tables.setCategory
• bigquery.tables.update
• datacatalog.categories.getIamPolicy
• datacatalog.categories.setIamPolicy
• datacatalog.taxonomies.create
• datacatalog.taxonomies.get
• datacatalog.taxonomies.list
• datacatalog.taxonomies.update
• logging.logEntries.list
• resourcemanager.projects.get

In addition, ensure that the following APIs are enabled for the GCP projects used by Protect:

• BigQuery API
• BigQuery Data Policy API
• Google Cloud Data Catalog API
• Cloud Logging API