Access Management for Serivce Account in Native Tag Based Masking

This Section to introduced service account principal is one of the type of entity in GBQ.

Google BigQuery uses service accounts with emails formatted as <service-account-name>@<project_name>.iam.gserviceaccount.com to manage authentication and access control.

How privacera support it using user email

  • To enable Privacera to support this type of email in the user principal
  • To enable support for this type of email in the user principal, you must configure the RANGER_VALID_EMAIL_REGEX property in Privacera Manager.

  • This property specifies the valid email format for service account principals, allowing the Privacera Portal to correctly recognize and process service account emails in user principal for access management.

  • For BigQuery Connector to identify the regex pattern of service acccount email, you need to set the CONNECTOR_BIGQUERY_USER_SERVICE_ACCOUNT_REGEX_PATTERN property in the vars.connector.bigquery.yml file.

Note

  • The regex pattern for service account email is ^[a-zA-Z0-9\\-]+@([a-zA-Z0-9\\-]+\\.iam|appspot|developer|cloudservices|cloudbuild|gcp-sa-[a-z0-9-]+)\\.gserviceaccount\\.com$ which is by default set to connector.
  • This pattern is used to match the format of service account emails in Google BigQuery Connector.
  • If your email follows above pattern then you don't need to change or set the property CONNECTOR_BIGQUERY_USER_SERVICE_ACCOUNT_REGEX_PATTERN in vars.connector.bigquery.yml file.

Info

  • For instructions on how to create a service account in Google Cloud Bigquery, refer to the link

Peform the following steps to configure access for service accounts in native tag based masking:

  1. Navigate to the directory:
    Bash
    1
2
3
    cd ~/privacera/privacera-manager/config/
cp sample-vars/vars.ranger.admin.yml custom-vars
vi custom-vars/vars.ranger.admin.yml
  2. Add the below property with value
    YAML
    1
    RANGER_VALID_EMAIL_REGEX: "^[\\w]([\\-.\\w\\+])*[\\w\\+]+@[\\w]+([\\-\\w]*\\w)?(\\.[a-z0-9\\-]+)*\\.[a-z]{2,}$"

  3. Save the file and update the privacera manager

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh update

  4. Create a user in the Privacera Portal or Ranger using the service account email.
    For example: <service-account-name>@<project_name>.iam.gserviceaccount.com

Post-Configuration-Section

  • Google CLI setup to verify Service Account Access:
    Refer for installation link
  • Execute Command to login into Service Account:
    Bash
    1
2
    gcloud auth activate-service-account --key-file=<SERVICE-ACCOUNT-KEY-JSON-FILE-PATH>
gcloud config set project <project-name>
  • If bq tool is missing then install it manually
    Bash
    1
    gcloud components install bq
  • Execute the query to check the access for service account
    Bash
    1
    bq query --use_legacy_sql=false "SELECT * FROM \`<project-name>.<dataset-name>.<table-name>\` LIMIT 10;"

Comments