bqiam
What is this?
This tool provides easier permission management for BigQuery.
Currently supports;
- list the user's permissions for each BigQuery Datasets
- permit users to each BigQuery Datasets access role (READER/WRITER/OWNER) and
roles/bigquery.jobUser
(to run query)
- permit users to Project-wide access role (
roles/viewer
or rolse/editor
)
Requirement
You must have a roles/owner
on your GCP project.
Install
$ go get -u github.com/hirosassa/bqiam
Usage
Prepare configuration file as following format (currently support only the file name is .bqiam.toml
on your $HOME
):
// .bqiam.toml
BigqueryProjects = ["project-id-A", "project-id-B", ...]
CacheFile = "path/to/cache-file.toml"
Next, fetch bigquery dataset metadata and store it to cache file (take about 30-60 sec.).
$ bqiam cache
dataset meta data are cached to path/to/cache-file.toml
List datasets the user is able to access.
$ bqiam dataset abc@sample.com
sample-prj sample-ds1 OWNER
sample-prj sample-ds2 READER
...
Grant the user(s) a role to access the dataset(s). This command also adds roles/bigquery.jobUser
automatically.
$ bqiam permit dataset READER -p bq-project-id -u user1@email.com -u user2@email.com -d dataset1 -d dataset2
Permit user1@email.com to dataset1 access as READER
Permit user2@email.com to dataset1 access as READER
...
Grant the user(s) a project-wide role.
$ bqiam permit project READER -p bq-project-id -u user1@email.com -u user2@email.com
Permit user1@email.com to bq-project-id access as READER
Permit user2@email.com to bq-project-id access as READER
...