Skip to content

Custom IAM Role Details

Goal

Enable fine-grained access control in your BigQuery integration using custom IAM roles. These roles can be automatically created by PolicySync or managed manually, depending on your requirements.

Prerequisites

Before you begin, ensure the following:

  • Privacera Manager is installed and the base installation operational.
  • The BigQuery connector is configured or currently being configured.

Configuration Steps

  1. CREATE_CUSTOM_IAM_ROLES:

    • Enable this property to allow PolicySync to automatically create custom IAM roles within your GCP project or organization. This helps facilitate fine-grained access control.

      Note

      If this property is disabled (false), you will need to create all custom IAM roles manually within your GCP project or organization.

  2. CUSTOM_IAM_ROLES_SCOPE:

    • Specifies the scope at which custom IAM roles will be created and applied.
    • Set to project to create and use custom IAM roles at the individual project level.
    • Set to organization to create and use custom IAM roles at the organization level.
    • If you manually create custom IAM roles at the organization level, they will be applied across all managed projects within that organization.

  3. ORGANIZATION_ID:

    • If you opt to use organization-level IAM roles (by setting CONNECTOR_BIGQUERY_CUSTOM_IAM_ROLES_SCOPE to organization), specify your GCP organization ID in this field.

      Note

      This property is required only when custom IAM roles are created at the organization level.

If you choose to manage IAM roles manually, refer to the details below.
Role Role Description Role Included Permission
PrivaceraGBQProjectListRole IAM Role for Project List operation created by Privacera. resourcemanager.projects.get
PrivaceraGBQJobListRole IAM Role for Job List operation created by Privacera. bigquery.jobs.list
PrivaceraGBQJobListAllRole IAM Role for Job List All operation created by Privacera. bigquery.jobs.listAll
PrivaceraGBQJobCreateRole IAM Role for Job Create operation created by Privacera. bigquery.jobs.create
PrivaceraGBQJobGetRole IAM Role for Job Get operation created by Privacera. bigquery.jobs.get
PrivaceraGBQJobUpdateRole IAM Role for Job Update operation created by Privacera. bigquery.jobs.update
PrivaceraGBQJobDeleteRole IAM Role for Job Delete operation created by Privacera. bigquery.jobs.delete
PrivaceraGBQDatasetCreateRole IAM Role for Dataset Create operation created by Privacera. bigquery.datasets.create
PrivaceraGBQDatasetGetMetadataRole IAM Role for Dataset Getmeta operation created by Privacera. bigquery.datasets.get
PrivaceraGBQDatasetUpdateRole IAM Role for Dataset Update operation created by Privacera. bigquery.datasets.update
PrivaceraGBQDatasetDeleteRole IAM Role for Dataset Delete operation created by Privacera. bigquery.datasets.delete
PrivaceraGBQTableListRole IAM Role for Table List operation created by Privacera. bigquery.tables.list
PrivaceraGBQTableCreateRole IAM Role for Table Create operation created by Privacera. bigquery.tables.create
PrivaceraGBQTableGetMetadataRole IAM Role for Table Getmeta operation created by Privacera. bigquery.tables.get
PrivaceraGBQTableQueryRole IAM Role for Query operation created by Privacera. bigquery.tables.getData
PrivaceraGBQTableExportRole IAM Role for Table Export operation created by Privacera. bigquery.tables.export
PrivaceraGBQTableUpdateMetadataRole IAM Role for Table Updatemeta operation created by Privacera. bigquery.tables.updateMeta
PrivaceraGBQTableUpdateRole IAM Role for Table Update operation created by Privacera. bigquery.tables.updateData
PrivaceraGBQTableSetCategoryRole IAM Role for Table Set Category operation created by Privacera. bigquery.tables.setCategory
PrivaceraGBQTableDeleteRole IAM Role for Table Delete operation created by Privacera. bigquery.tables.delete
PrivaceraGBQTransferUpdateRole IAM Role for Transfer Update operation created by Privacera. bigquery.transfers.update
PrivaceraGBQTransferGetRole IAM Role for Transfer Get operation created by Privacera. bigquery.transfers.get

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. To configure Custom IAM Roles, enter the value in the following fields.

    • Create custom iam roles in gcp : Enable the flag.

    • GCP custom iam roles scope : project or organization.

    • GCP organization id : organization-id

  5. Click SAVE to apply the changes.

Warning

The values shown below are for example purposes only. Replace them with your actual configuration values.

YAML
1
2
3
4
5
6
7
8
# Enable automatic creation of custom IAM roles in your GCP project or organization
CONNECTOR_BIGQUERY_CREATE_CUSTOM_IAM_ROLES: "true"

# Define whether custom IAM roles should be created at the project or organization level
CONNECTOR_BIGQUERY_CUSTOM_IAM_ROLES_SCOPE: "project"  # or "organization"

# Set your GCP organization ID if using organization-level custom IAM roles
CONNECTOR_BIGQUERY_ORGANIZATION_ID: "your-gcp-org-id"
Save the file and update the privacera manager
Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh update

  1. In PrivaceraCloud, navigate to SettingsApplications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then navigate to the Access Management.

  4. Under the ADVANCED tab, enter the values for:

    • Create Custom IAM Roles in GCP : Enable the flag.
    • GCP Custom IAM Roles Scope : project or organization
    • GCP Organization ID : organization-id

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Text Only
1
Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Go to Settings > Applications > select the BigQuery connector application .

  2. Edit the application > Disable it > and Save it.

  3. Open the same application again and then: Enable it and Save it.

Comments