I have a BigQuery dataset which configured using google groups i.e people who are the part of this group will be able to access this dataset.
Now Users want to connect to BQ using third party application, so to authenticate BQ we need to provide them the service account json file. My Problem : How should Big Query will be providing access to users only who are the part of the groups because once i provide them service account json file then any users will be able to connect ?
Your user accounts that are members of the group will continue to have the access that has been assigned to the group.
These users will be able to continue accessing BigQuery in the same ways that they are now. I assume they are accessing via the console, and that doesn't change.
When you create the service account, you will give it the roles/permissions it needs in IAM.
You will need to securely transfer the key file to your users who can then use the file to authenticate against the GCP CLI/API.
Yes, once you transfer them the key file, anyone with that key file will be able to authenticate against the CLI. Just like anyone with a user's login details could access your dataset via the console without your permission.
For this reason, that service account should only have minimal permissions assigned to it.
You can then monitor the service account's usage
If you need to have further restrictions on access by the service account, or the user accounts, GCP now offers BeyondCorp to increase the security of console and API access.
This is a particularly large topic to distil into a response and may or may not be overkill for your requirements.
