unable to run query against BigQuery - permission error 403

5
votes

I have a IAM user with Role: BigQuery Data Editor In my data set I did Share dataset added the user with Can Edit privileges.

However when I'm running my script which access BigQuery I get error 403

When I add to my IAM user the Role BigQuery User The script works.

The scripts runs only SELECT query from a table in this data set.

I don't understand why I must grant BigQuery User for this to work.

According to the documentation https://cloud.google.com/bigquery/docs/access-control

Rationale: The dataEditor role extends bigquery.dataViewer by issuing create, update, delete privileges for the tables within the dataset

roles/bigquery.dataViewer has bigquery.tables.getData which get table data

What am I doing wrong here?

1
google-cloud-platformgoogle-bigquery

1 Answers

8
votes

Having access to the data and being able to retrieve it with a query are different things and that's where the confusion is coming from.

Per the documentation, roles/bigquery.dataEditor has the following permissions:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

This means that the user with this role has access and manipulation rights to the dataset's information and the tables in it. An example would be that a user with this role can see all the table information by navigating to it through the GCP console (schema, details and preview tabs) but when trying to run a query there, the following message will appear:

Access Denied: Project <PROJECT-ID>: The user <USER> does not have bigquery.jobs.create permission in project <PROJECT-ID>.

Now let's check the roles/bigquery.user permissions:

Permissions to run jobs, including queries, within the project.

The key element here is that the BigQuery User role can run jobs and the BigQuery DataEditor can't. BigQuery Jobs are the objects that manage the BigQuery tasks, this includes running queries.

With this information, it's clearer in the roles comparison matrix that for what you are trying to accomplish you'll need the BigQuery DataEditor role (Get table data/metadata) and the BigQuery User role (Create jobs/queries).