BigQuery permissions

To perform actions in BigQuery, Protect uses a GCP connection. This GCP connection must be configured with a service account that has the following permissions.

  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
    Note The GCP service account configured for Protect must have this permission. That is, this permission is required only if the Grant access to tables checkbox is selected when adding the Protect for BigQuery capability to the Edge site.
  • bigquery.tables.list
  • bigquery.tables.setCategory
  • bigquery.tables.setIamPolicy
    Note The GCP service account configured for Protect must have this permission. That is, this permission is required only if the Grant access to tables checkbox is selected when adding the Protect for BigQuery capability to the Edge site.
  • bigquery.tables.update
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.taxonomies.create
  • datacatalog.taxonomies.get
  • datacatalog.taxonomies.list
  • datacatalog.taxonomies.update
  • logging.logEntries.list
  • resourcemanager.projects.get

In addition, ensure that the following APIs are enabled for the GCP projects used by Protect:

  • BigQuery API
  • BigQuery Data Policy API
  • Google Cloud Data Catalog API
  • Cloud Logging API