Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Provide a recommendation for fine grain, minimum required permissions to use dbt-bigquery #1396

Open
3 tasks done
mikealfare opened this issue Nov 7, 2024 · 1 comment
Open
3 tasks done

[Feature] Provide a recommendation for fine grain, minimum required permissions to use dbt-bigquery #1396

mikealfare opened this issue Nov 7, 2024 · 1 comment
Assignees
@mikealfare
Labels
enhancement New feature or request

Comments

@mikealfare
Copy link
Contributor

mikealfare commented Nov 7, 2024
edited
Loading

Is this your first time submitting a feature request?

  • I have read the expectations for open source contributors
  • I have searched the existing issues, and I could not find an existing issue for this feature
  • I am requesting a straightforward extension of existing dbt-bigquery functionality, rather than a Big Idea better suited to a discussion

Describe the feature

The current docs suggest applying the built-in roles of BigQuery User and BigQuery Data Editor to the account running dbt-bigquery. However, these roles include a lot of permissions that are not required. It's ideal to provide minimum access to service accounts, but I don't know what that should be. I understand this also could change over time as features are added. Given that some of these features are optional, it would also be nice to know what permissions I need to use a feature, or more in line with this request, what permissions are not needed if I'm not using a particular feature.

Describe alternatives you've considered

I could figure this out myself by incrementally adding permissions until runs pass, but this is time consuming and only solves the problem for me. Also, this could change over time as dbt-bigquery gains new features.

Who will this benefit?

This will benefit security-minded users and organizations who want to minimize the access of their service accounts.

Anything else?

It looks like this permission set may work:

  • bigquery.datasets.create
  • bigquery.jobs.create
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData

It may be worth specified required permissions for SQL models only, and then additional permissions to run python models. The above looks like it may be just the former.
@mikealfare mikealfare added enhancement New feature or request triage and removed triage labels Nov 7, 2024
@mikealfare mikealfare self-assigned this Nov 8, 2024
@syou6162
Copy link
Contributor

In dbt Cloud, there is a function that creates a dataset like dbt_cloud_pr_<job_id>_<pr_id> for pull requests, and deletes this dataset when the pull request is merged or closed. Considering this, I thought that it would be good to mention

  • bigquery.datasets.delete
  • bigquery.tables.delete

for the smallest set of permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikealfare mikealfare

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@syou6162 @mikealfare