Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Provide a recommendation for fine grain, minimum required permissions to use dbt-bigquery #528

Closed
3 tasks done
mikealfare opened this issue Nov 7, 2024 · 2 comments
Closed
3 tasks done

[Feature] Provide a recommendation for fine grain, minimum required permissions to use dbt-bigquery #528

mikealfare opened this issue Nov 7, 2024 · 2 comments
Labels
pkg:dbt-bigquery Issue affects dbt-bigquery type:enhancement New feature request

Comments

@mikealfare
Copy link
Contributor

mikealfare commented Nov 7, 2024
edited
Loading

Is this your first time submitting a feature request?

  • I have read the expectations for open source contributors
  • I have searched the existing issues, and I could not find an existing issue for this feature
  • I am requesting a straightforward extension of existing dbt-bigquery functionality, rather than a Big Idea better suited to a discussion

Describe the feature

The current docs suggest applying the built-in roles of BigQuery User and BigQuery Data Editor to the account running dbt-bigquery. However, these roles include a lot of permissions that are not required. It's ideal to provide minimum access to service accounts, but I don't know what that should be. I understand this also could change over time as features are added. Given that some of these features are optional, it would also be nice to know what permissions I need to use a feature, or more in line with this request, what permissions are not needed if I'm not using a particular feature.

Describe alternatives you've considered

I could figure this out myself by incrementally adding permissions until runs pass, but this is time consuming and only solves the problem for me. Also, this could change over time as dbt-bigquery gains new features.

Who will this benefit?

This will benefit security-minded users and organizations who want to minimize the access of their service accounts.

Anything else?

It looks like this permission set may work:

  • bigquery.datasets.create
  • bigquery.jobs.create
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData

It may be worth specified required permissions for SQL models only, and then additional permissions to run python models. The above looks like it may be just the former.
@mikealfare mikealfare added type:enhancement New feature request triage:product In Product's queue and removed triage:product In Product's queue labels Nov 7, 2024
@mikealfare mikealfare self-assigned this Nov 8, 2024
@syou6162
Copy link
Contributor

In dbt Cloud, there is a function that creates a dataset like dbt_cloud_pr_<job_id>_<pr_id> for pull requests, and deletes this dataset when the pull request is merged or closed. Considering this, I thought that it would be good to mention

  • bigquery.datasets.delete
  • bigquery.tables.delete

for the smallest set of permissions.

@mikealfare mikealfare removed their assignment Dec 13, 2024
@mikealfare mikealfare added the pkg:dbt-bigquery Issue affects dbt-bigquery label Jan 14, 2025
@mikealfare mikealfare transferred this issue from dbt-labs/dbt-bigquery Jan 14, 2025
@amychen1776
Copy link
Contributor

I'm closing this issue for now since our amazing Benoit has already made this list

@amychen1776 amychen1776 closed this as not planned Won't fix, can't repro, duplicate, stale Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pkg:dbt-bigquery Issue affects dbt-bigquery type:enhancement New feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@syou6162 @mikealfare @amychen1776