How do BigQuery OAuth connections work with GCP IAM?

Knowledge Drop

Last tested: Jun 26, 2020
 

BigQuery customers have the option of using OAuth for BigQuery connections. (The other option is service accounts). These connections are "directly integrated" with GCP Identity and Access Management (IAM). This provides user-level authentication (OAuth) and authorization (IAM). Every query is run as if that user was running the same SQL when directly logged in to the BQ console.

Key features and constraints of OAuth + IAM

  1. Using OAuth as the authentication mechanism ensures that IAM permissions are enforced per user.
  2. Every query is run as if that user was running the same SQL after they logged in to the BQ console.
  3. Examples of per-user security controls include:
    1. Only having access to the correct datasets
    2. Only having access to the correct authorized views
      1. Applying row level controls implemented using authorized views
  4. Per-user caches are available
  5. Per-user BQ resource limits are available
  6. PDTs and shared caches are disabled under per-user authentication

This content is subject to limited support.                

Comments

Updated: PDTs are now supported with BQ OAuth with version 22.14 
https://cloud.google.com/looker/docs/looker-22-release-highlights

Version history
Last update:
‎06-14-2021 05:54 PM
Updated by: