Prerequisites for BigQuery Connector - Access Management¶

GCP BigQuery connector with Privacera requires the following prerequisites:

Mandatory Prerequisites¶

Prerequisites	Detail
IAM Role Permissions for managing BigQuery Refer	This is used to create Permissions for GCP IAM Role.
Create PrivaceraPolicySyncRole IAM Role for Project Refer	This is used create GCP IAM role at project-level for service account.
Create PrivaceraPolicySyncRole IAM Role for organization Refer	This is used to create GCP IAM role at organization-level for service account.
Attach IAM Role to Service Account Refer	This is used to connect policysync with GCP bigquery.
Configure Logs for Auditing Refer	This is used to store audits logs of GCP BigQuery to load by policysync.
Ops Server Setup Refer (For Self-Managed deployment only)	Set up the Ops Server for Privacera. This step is required only for Self-Managed deployments.
Enable Required Google Cloud APIs Refer	Enable the required Google Cloud APIs in your project to ensure BigQuery connector functionality.

Optional Prerequisites¶

You must choose one of the following options for setting up the BigQuery connector:

Prerequisites	Detail
Enable WorkLoad Identity for BigQuery Refer (optional)	If you are deploying the connector on a GCP instance, you can use Workload Identity to authenticate.
Basic Authentication for PolicySync Refer (optional)	If you are using other instances (e.g., EKS, AKS), choose this option of basic authentication.

Managing Multiple GCP Projects with a Single BigQuery Connector¶

If you have multiple projects within your GCP organization and wish to manage them using a single BigQuery connector, you can follow one of the two options below. Choose the option that best fits your needs.

Option 1: Service Account at One Project with Organization-level Role¶

Create Organization-level IAM Role:
- Create an IAM role at the organization level that will allow the service account to access BigQuery across all projects.
- IAM Role Permissions for managing BigQuery
- Create Organization-level IAM Role for Service Account
Assign the Role to the Service Account:
- Create a service account in any one of the projects within your organization.
- Assign the organization-level IAM role to the service account, granting it the necessary permissions to manage BigQuery across the organization.
- This ensures the service account can access BigQuery resources in all projects within the organization.
- Attach IAM Role to Service Account

Option 2: Service Account at One Project with Project-level Role for Each Project¶

Create IAM Role at Every Project:
- Create an IAM role at the project level for each project where the service account needs to access BigQuery. This allows the service account to be granted permissions to specific resources in each project.
- IAM Role Permissions for managing BigQuery
- Create Project-level Access IAM Role for Service Account
Assign the Role to the Service Account:
- Create a service account in any one of the projects within your organization.
- Assign the project-level IAM role to the service account for each individual project. This ensures the service account has the required permissions to access BigQuery in all the relevant projects.
- Attach IAM Role to Service Account

Appendix¶

IAM Role Permissions for managing BigQuery¶

You need to give Privacera PolicySync basic access to GCP. To grant that access, create PrivaceraPolicySyncRole IAM role in your GCP project or GCP organization using the following commands on Google Cloud's shell (gcloud). The shell can be installed and accessed locally or through Google Console.

Run the following command to create the file containing the permissions required for the PrivaceraPolicySyncRole role:

Text Only

ROLE_NAME="PrivaceraPolicySyncRole"

cat << EOF > ${ROLE_NAME}.yaml
title: "${ROLE_NAME}"
description: "${ROLE_NAME}"
stage: "ALPHA"
includedPermissions:
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy
- iam.roles.list
- iam.roles.get
- iam.roles.create
- iam.roles.update
- bigquery.jobs.create
- bigquery.datasets.get
- bigquery.datasets.create
- bigquery.datasets.update
- bigquery.datasets.delete
- bigquery.datasets.getIamPolicy
- bigquery.datasets.setIamPolicy
- bigquery.tables.list
- bigquery.tables.get
- bigquery.tables.getData
- bigquery.tables.create
- bigquery.tables.update
- bigquery.tables.delete
- bigquery.tables.getIamPolicy
- bigquery.tables.setIamPolicy
- bigquery.rowAccessPolicies.list
- bigquery.rowAccessPolicies.create
- bigquery.rowAccessPolicies.update
- bigquery.rowAccessPolicies.delete
- bigquery.rowAccessPolicies.getIamPolicy
- bigquery.rowAccessPolicies.setIamPolicy
- datacatalog.categories.getIamPolicy
- datacatalog.categories.setIamPolicy
- datacatalog.taxonomies.get
- datacatalog.taxonomies.getIamPolicy
- datacatalog.taxonomies.list
- datacatalog.taxonomies.setIamPolicy
- datacatalog.taxonomies.update
- bigquery.dataPolicies.create
- bigquery.dataPolicies.delete
- bigquery.dataPolicies.get
- bigquery.dataPolicies.getIamPolicy
- bigquery.dataPolicies.list
- bigquery.dataPolicies.setIamPolicy
- bigquery.dataPolicies.update
- bigquery.tables.setCategory

EOF

Here are the descriptions of the GBQ Policies

PolicySync Role Permission Details for GBQ

Permission	Why it is needed
`resourcemanager.projects.get`	This is required to list the projects available in the GCP console.
`resourcemanager.projects.getIamPolicy` `resourcemanager.projects.setIamPolicy`	These are required to make permission changes at the project level based on Privacera policies.
`iam.roles.list` `iam.roles.get` `iam.roles.create` `iam.roles.update`	PolicySync creates and uses custom IAM roles for fine-grained access control.
`PrivaceraGBQDatasetCreateRole` `PrivaceraGBQDatasetGetMetadataRole` `PrivaceraGBQDatasetUpdateRole` `PrivaceraGBQDatasetDeleteRole` `PrivaceraGBQTableListRole` `PrivaceraGBQTableCreateRole` `PrivaceraGBQTableGetMetadataRole`	These are needed only if you want PolicySync to automatically create custom IAM roles for you. They will also handle updates if any permissions are modified in a custom role. If you are manually creating all the required custom roles, you can skip these permissions.
`bigquery.jobs.create`	This is required to execute SQL queries within a BigQuery project. PolicySync needs this permission as it creates views to apply masking and row filtering. It is also necessary to establish a JDBC connection.
`bigquery.datasets.get`	This is required to list all available datasets within a BigQuery project.
`bigquery.datasets.getIamPolicy` `bigquery.datasets.setIamPolicy`	These are required to make permission changes at the dataset level based on Privacera policies.
`bigquery.tables.list` `bigquery.tables.get`	These are required to list all available tables and their columns within a BigQuery project.
`bigquery.tables.getIamPolicy` `bigquery.tables.setIamPolicy`	These are required to make permission changes at the table/view level based on Privacera policies.
`bigquery.datasets.create` `bigquery.datasets.update` `bigquery.datasets.delete` `bigquery.tables.getData` `bigquery.tables.create` `bigquery.tables.update` `bigquery.tables.delete`	These are required to create, update, or delete secure views and their datasets.
`bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.update` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.setIamPolicy`	These are required only if you are using a native row filter in BigQuery. These permissions are necessary to create, update, or delete row filters on tables for users and groups based on Privacera policies.
`datacatalog.categories.getIamPolicy` `datacatalog.categories.setIamPolicy` `datacatalog.taxonomies.get` `datacatalog.taxonomies.getIamPolicy` `datacatalog.taxonomies.list` `datacatalog.taxonomies.setIamPolicy` `datacatalog.taxonomies.update` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.tables.setCategory`	These permissions are required for the Tag-Based Masking feature.

Note

If you are planning to set the property CONNECTOR_BIGQUERY_CREATE_CUSTOM_IAM_ROLES from Advanced Configuration (custom-IAM-roles) to false, then you can remove extra permissions from Policysync Role, which are:
- iam.roles.create
- iam.roles.update
- iam.roles.list
- iam.roles.get
To see list of custom IAM roles, need to create manually - refer to Advance Configuration (custom-IAM-roles)
If you are disabling secure views or keeping native support only from Advance Configuration (Native Row Filter and Tag Masking) then you can avoid below permissions for policysync role:
- bigquery.datasets.create
- bigquery.datasets.delete
- bigquery.tables.create
- bigquery.tables.getData
- bigquery.tables.update
- bigquery.tables.delete

Create Project-level Access IAM Role for Service Account¶

To create the PrivaceraPolicySyncRole in your GCP project, execute the following command. Replace <GCP_PROJECT_ID> with your actual GCP project ID:
PROJECT_ID="<GCP_PROJECT_ID>"

To create PrivaceraPolicySyncRole role in your GCP project, run the following command.

Text Only
1	`gcloud iam roles create ${ROLE_NAME} --project=${PROJECT_ID} --file=${ROLE_NAME}.yaml`

Create Organization-level IAM Role for Service Account¶

To create the PrivaceraPolicySyncRole role in your GCP organization, run the following command. Replace <GCP_ORGANIZATION_ID> with your GCP organization ID:
ORGANIZATION_ID="<GCP_ORGANIZATION_ID>"

To create PrivaceraPolicySyncRole role in your GCP organization, run the following command.

Text Only
1	`gcloud iam roles create ${ROLE_NAME} --organization=${ORGANIZATION_ID} --file=${ROLE_NAME}.yaml`

Attach IAM Role to Service Account¶

To attach the PrivaceraPolicySyncRole IAM role created above, please follow the below steps:

Log in to your GCP console.
Navigate to IAM & admin > Service accounts, and click + CREATE SERVICE ACCOUNT.
Enter the required values in the fields and click CREATE.
In the Grant this service account access to project section, select the role PrivaceraPolicySyncRole.
On the Service Account Page, locate the newly created service account and copy its email address for use in a later step.
If you are using a Google VM instance to configure Google BigQuery for PolicySync, you may attach the service account created above to your VM instance and skip the following steps.
On the Service Account Page, navigate to the Keys tab, click Add Key, and then select Create New Key.
Select the JSON key type and click CREATE. A JSON key file will be downloaded to your system. Please store the file in an accessible location, as it will be used to configure PolicySync in Privacera Manager.

For more detailed information on creating a service account, see the Google documentation.

Configure Logs for Auditing¶

A sink is required to collect all logs from Google BigQuery. To create a sink, follow the below steps:

In the search bar, type Logging, then click Log Router and select Create Sink.
Enter the sink name as PolicySyncBigQueryAuditSink, and click Next.
Configure the sink destination:
1. Under Select sink service, choose BigQuery dataset.
2. Under Select BigQuery dataset, click Create new BigQuery dataset.
3. Enter the Dataset ID as bigquery_audits, and click Create Dataset.
  
  Warning
  
  Ensure the Use partitioned tables option remains unchecked while creating the sink.
  Enabling partitioned tables can cause issues with log retention and querying for auditing purposes.
4. Click Next.
Add BigQuery logs to the sink:
1. In the Build inclusion filter section, add the following line and click Next:
  Text Only
  1
  resource.type="bigquery_resource"
Review the configuration and click Create Sink.

For more detailed information on creating a sink, see the Google documentation.

Workload Identity for BigQuery (Optional)¶

To enable Workload Identity for BigQuery, please follow the steps below:

Using gcloud CLIUsing gcloud Console

Enable Workload Identity on the GKE cluster:
- To enable Workload Identity Federation for GKE on an existing cluster, run the following command:
  Text Only
  1
  gcloud container clusters update <CLUSTER_NAME> \ --location=<LOCATION> \ --workload-pool=<PROJECT_ID>.svc.id.goog
  Replace the following:
  - CLUSTER_NAME: the name of your new cluster.
  - LOCATION: the Compute Engine location for the cluster.
  - PROJECT_ID: your Google Cloud project ID.
- To modify an existing node pool to use Workload Identity Federation for GKE, run the following command:
  Text Only
  1
  gcloud container node-pools create <NODEPOOL_NAME> \ --cluster=<CLUSTER_NAME> \ --region=<REGION> \ --workload-metadata=GKE_METADATA
  Replace the following:
  - NODEPOOL_NAME: the name of the new node pool.
  - CLUSTER_NAME: the name of the existing cluster with Workload Identity Federation for GKE enabled.
  - REGION: the region where the cluster is located.

Create an IAM policy that allows the Kubernetes ServiceAccount to impersonate the IAM service account::

Run the following command to add the IAM policy binding:

Text Only

gcloud iam service-accounts add-iam-policy-binding <IAM_SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:<PROJECT_ID>.svc.id.goog[<NAMESPACE>/<KSA_NAME>]"

Replace the following:

PROJECT_ID: your Google Cloud project ID.
NAMESPACE: the Kubernetes namespace name.
KSA_NAME: the Kubernetes ServiceAccount name Eg. connector-<CONNECTOR-NAME>-<INSTANCE-NAME>-privacera-sa.
IAM_SA_NAME: the IAM service account name.

Note
If you don't have an existing cluster in your GCP project, please follow the instructions at this link Refer to create a new cluster and node pool.

Enable Workload Identity on the GKE cluster:
- To enable Workload Identity Federation for GKE on an existing cluster:
  - Navigate to Kubernetes Engine > Clusters.
  - Select the cluster name.
  - In the Workload Identity section, Click Edit, select the Enable Workload Identity checkbox.
  - Click Save.
- To modify an existing node pool to use Workload Identity Federation for GKE, perform the following steps:
  - Navigate to Kubernetes Engine > Clusters.
  - Click on the cluster name.
  - Click on the Node tab.
  - Click on the node pool name you want to modify.
  - Click Edit.
  - In the Security section, select the Enable GKE Metadata Server checkbox.
  - Click Save.
Create an IAM allow policy that grants the Kubernetes ServiceAccount permission to impersonate the IAM service account:
- Go to the IAM & Admin page in the Google Cloud Console.
- Click on Service accounts in the sidebar.
- Find and select your service account.
- Go to the Permissions tab.
- Click Grant Access, and in the role section, search for workload identity user.
- In Principal name add <PROJECT-ID>.svc.id.goog[<NAMESPACE-NAME>/<KSA_NAME>].
  - PROJECT_ID: your Google Cloud project ID.
  - Namespace-name: the Kubernetes namespace name.
  - KSA_NAME: the Kubernetes ServiceAccount name Eg. connector-<connector-name>-<Instance-Name>-privacera-sa.
- Click Save.

Note
If you don’t have an existing cluster in your GCP project, follow the instructions at this link Refer to create a new cluster and node pool.

Basic Authentication for PolicySync (Optional)¶

To optionally enable basic authentication for PolicySync with Google BigQuery, create a JSON file in the subdirectory of your connector instance. The file must be named XXX.json.

An example of the contents of XXX.json.

JSON
 {
  "type": "service_account",
  "project_id": "your_project_id",
  "private_key_id": "autogenerated_value",
  "private_key": "-----BEGIN PRIVATE KEY-----autogenerated_value-----END PRIVATE KEY-----\n",
  "client_email": "autogenerated_value",
  "client_id": "autogenerated_value",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/autogenerated_value"
}

Enable Required Google Cloud APIs¶

Before configuring the BigQuery connector, ensure that the following Google Cloud APIs are enabled in your GCP project. These APIs are essential for the connector to function properly and perform access management operations.

Required APIs¶

API	Description	Purpose
Cloud Resource Manager API	Manages Google Cloud Platform resource containers	Required for project-level resource management and IAM operations
Identity and Access Management (IAM) API	Manages identity and access control for Google Cloud resources	Essential for creating and managing service accounts and roles
Google Cloud Data Catalog API	Manages metadata and data discovery	Required for taxonomy and policy tag management
BigQuery Data Policy API	Manages column-level and row-level security policies	Essential for implementing fine-grained access controls
BigQuery Connection API	Manages BigQuery connections	Required for establishing secure connections to BigQuery resources
BigQuery API	Core BigQuery service API	Fundamental API for all BigQuery operations

How to Enable APIs¶

You can enable these APIs using either the Google Cloud Console or the gcloud CLI:

Google Cloud Consolegcloud CLI

Navigate to the Google Cloud Console.
At the top of the page, select the correct project from the project selector.
Go to APIs & Services > Library.
In the search bar, enter the name of the API (for example: Cloud Resource Manager API).
Click the API in the search results and click Enable.
Repeat these steps for all required APIs listed above.

Bash
# Set your project ID
PROJECT_ID="your-project-id"
gcloud config set project $PROJECT_ID

# Enable required APIs
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable datacatalog.googleapis.com
gcloud services enable bigquerydatapolicy.googleapis.com
gcloud services enable bigqueryconnection.googleapis.com
gcloud services enable bigquery.googleapis.com

API Propagation Time

After enabling APIs, it may take a few minutes for the changes to propagate across Google's systems. If you encounter permission errors immediately after enabling an API, wait 5-10 minutes and retry.

Prev topic: Access Management
Next topic: Setup