Skip to content

Access Management for Service Account in Native Tag-Based Masking

This section describes how to configure access management for service accounts in Google BigQuery when using Native Tag-Based Masking in Privacera.

Google BigQuery uses service accounts with email addresses in the format:

Bash
1
<service-account-name>@<project_name>.iam.gserviceaccount.com
These service accounts are used for authentication and authorization in GCP. Privacera supports these service account emails as valid user principals by using regex patterns.

How Privacera Supports Service Accounts

Privacera provides built-in support for service account emails by using the following default regex pattern:

Text Only
1
 ^[a-zA-Z0-9\\-]+@([a-zA-Z0-9\\-]+\\.iam|appspot|developer|cloudservices|cloudbuild|gcp-sa-[a-z0-9-]+)\\.gserviceaccount\\.com$

  • This regex is automatically set for the BigQuery connector.
  • If your service account email matches this pattern, no changes are required.
  • If a custom email format is used, you can override the pattern using the configuration steps below.

Info

  • For instructions on how to create a service account in Google Cloud Bigquery, refer to the link.

Update the Email Regex Pattern in Ranger Admin

Perform the following steps to configure access for service accounts in Native Tag-Based Masking:

  1. If you're using custom service account formats, update the RANGER_VALID_EMAIL_REGEX in Privacera Manager.

    Bash
    1
2
3
    cd ~/privacera/privacera-manager/config/
cp sample-vars/vars.ranger.admin.yml custom-vars
vi custom-vars/vars.ranger.admin.yml

  2. Add or update the following property with value:

    YAML
    1
    RANGER_VALID_EMAIL_REGEX: "^[\\w]([\\-.\\w\\+])*[\\w\\+]+@[\\w]+([\\-\\w]*\\w)?(\\.[a-z0-9\\-]+)*\\.[a-z]{2,}$"

  3. Save the file and update the Privacera Manager.

    Bash
    1
2
3
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

  4. Create a user under Access Management in the Privacera Portal using the service account email.
    Example: <service-account-name>@<project_name>.iam.gserviceaccount.com

Configuration Steps

Note

  • The values shown below are for example purpose only. Replace them with your actual configuration values.

  • If your service account email matches the pattern shown below, you do not need to add a custom property, as it already matches the default value.

    Text Only
    1
     ^[a-zA-Z0-9\\-]+@([a-zA-Z0-9\\-]+\\.iam|appspot|developer|cloudservices|cloudbuild|gcp-sa-[a-z0-9-]+)\\.gserviceaccount\\.com$

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, add the following property under Add New Custom Properties:

    YAML
    1
    ranger.policysync.connector.0.user.service.account.regex.pattern=<custom-regex-pattern>

  5. Click SAVE to apply the changes.

  1. Open the vars.connector.bigquery.yml file located in the connector’s instance directory.

  2. Add or update the following property:

    YAML
    1
    CONNECTOR_BIGQUERY_USER_SERVICE_ACCOUNT_REGEX_PATTERN: "^[a-zA-Z0-9\\-]+@([a-zA-Z0-9\\-]+\\.iam|appspot|developer|cloudservices|cloudbuild|gcp-sa-[a-z0-9-]+)\\.gserviceaccount\\.com$"

  3. Save the file and update the privacera manager.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh update

  1. In PrivaceraCloud, go to Settings -> Applications.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access Management.

  4. Under the ADVANCED tab, add the following property under Add New Custom Properties:

    YAML
    1
    ranger.policysync.connector.0.user.service.account.regex.pattern=<custom-regex-pattern>

  5. Click SAVE.

  6. Once saved and enabled, the BigQuery connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

Note

Perform the following steps only if the connector does not reflect the updated configuration and requires a restart.

Restart The BigQuery Connector:

  1. Navigate to Settings > Applications, and select the BigQuery connector application .

  2. Edit the application, disable it, and click Save.

  3. Reopen the same application, enable it, and click Save.

Post-Configuration Verification (GCP CLI)

  1. Set up Google CLI to verify Service Account Access: Follow the installation instructions in the Google Cloud SDK documentation.

  2. Authenticate as the Service Account: Run the following command to authenticate:

    Bash
    1
2
    gcloud auth activate-service-account --key-file=<SERVICE-ACCOUNT-KEY-JSON-FILE-PATH>
gcloud config set project <project-name>

  3. Install BigQuery CLI tool (Optional): If you don't have the BigQuery CLI tool, you can install it using the following command:

    Bash
    1
    gcloud components install bq

  4. Test Access by Running a Query: Verify the service account's access by running the following query:

    Bash
    1
    bq query --use_legacy_sql=false "SELECT * FROM \`<project-name>.<dataset-name>.<table-name>\` LIMIT 10;"

Comments