This document describes how to set up a VPC Service Controls perimeter for your BigQuery Omni resources.
You can use VPC Service Controls perimeters to restrict access from BigQuery Omni to external clouds.
VPC Service Controls is a Google Cloud feature that allows you to set up a secure perimeter to guard against data exfiltration. VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM). This guide shows you how to set up an egress policy that restricts access to only specified external cloud resources from within a VPC Service Controls perimeter. For example, you can limit exports from your BigQuery Omni tables to a specific S3 bucket.
To learn more about VPC Service Controls, see Overview of VPC Service Controls.
For permissions to configure service perimeters, see IAM roles for administering VPC Service Controls.
Before you begin
Before creating the perimeter policy, you must set a default access policy and create an input file that defines the egress policy you want to add.
Set default access policy
Before running the
create command, set the default access policy. An access policy
is an organization-wide container for access levels and service perimeters.
For information about setting a default access policy or getting an access policy name, see Managing an access policy.
Create the egress policy input file
An egress rule block defines the allowed access from within a perimeter to resources
outside of that perimeter. For external resources, the
defines the external resource paths allowed access from within your VPC Service Controls
Egress rules can be configured using
a JSON file, or a YAML file. The following sample uses the
- egressTo: operations: - serviceName: bigquery.googleapis.com methodSelectors: - method: "*" OR - permission: "*" externalResources: - External_Resource_Path egressFrom: identityType: IDENTITY_TYPE OR identities: - serviceAccount:SERVICE_ACCOUNT
- egressTo:- (Required) Starts the
toblock which lists allowed service operations on Google Cloud resources in specified projects outside the perimeter.
operations:- (Required) Marks the beginning of the list of accessible services and actions/methods that a client satisfying the
fromblock conditions is allowed to access.
- serviceName:- (Required) For BigQuery Omni, this should be set to
methodSelectors:- (Required) The beginning of a list of methods that a client satisfying the
fromblock conditions is allowed to access. For a list of restrictable methods and permissions for services, see Supported service method restrictions.
- method:- (This attribute or the
permissionattribute must be used). This field can be a valid service method, or can be set to
\"*\"to allow access to all methods of the specified service.
- permission:- (This attribute or the
methodattribute must be used) This field must be a valid service permission. The access to the specified resources outside the perimeter is allowed for the operations that require this permission.
externalResources:- (Required) This attribute is a list of external resources that clients inside a perimeter can access. This field can be set to either a valid AWS S3 bucket, such as
s3://bucket_name, or an Azure storage path, such as
egressFrom:- (Required) Starts the
fromblock which lists allowed service operations on Google Cloud resources in specified projects within the perimeter.
identityType:- (This attribute or the
identitiesattribute must be used) This attribute defines the types of identities that can be used to access the specified resources outside the perimeter. Acceptable values:
ANY_IDENTITYallows all identities.
ANY_USER_ACCOUNTallows all human users.
ANY_SERVICE_ACCOUNTallows all service accounts.
identities:- (This attribute or the
identityTypeattribute must be used) This attribute starts a list of service accounts that can access the specified resources outside the perimeter.
serviceAccount- A service account that can access the specified resources outside the perimeter.
The following example is a policy that allows egress operations from inside the
perimeter to the
s3://mybucket S3 location in AWS.
- egressTo: operations: - serviceName: bigquery.googleapis.com methodSelectors: - method: "*" externalResources: - s3://mybucket - s3://mybucket2 egressFrom: identityType: ANY_IDENTITY
The following example allows egress operations to an Azure storage bucket.
- egressTo: operations: - serviceName: bigquery.googleapis.com methodSelectors: - method: "*" externalResources: - azure://myaccount.blob.core.windows.net/mycontainer egressFrom: identityType: ANY_IDENTITY
For more information about writing egress policies, see the Egress rules reference.
Add the egress policy to a service perimeter
You can create a service perimeter using the Google Cloud Console,
gcloud command-line tool
or the API. However you must use the
gcloud command-line tool to add external resources
to the egress rules.
The create perimeter command is the same for BigQuery Omni as any other product.
For more information on the options, see the
gcloud tab in
Creating a service perimeter
Create a new service perimeter
The following command creates a new perimeter named
omniPerimeter that includes the project with project number
restricts the BigQuery API, and adds an egress policy defined in
the egress.yaml file.
gcloud alpha access-context-manager perimeters create omniPerimeter \ --title="Omni Perimeter" \ --resources=projects/12345 \ --restricted-services=bigquery.googleapis.com \ --egress-policies=egress.yaml
Add to an existing service perimeter
The following command adds an egress policy defined in the egress.yaml file
to an existing service perimeter named
gcloud alpha access-context-manager perimeters update omniPerimeter --set-egress-policies=egress.yaml
Verify your perimeter
You can use the
describe command to verify the perimeter you just created.
Use the following command to set a default access policy.
gcloud alpha access-context-manager perimeters describe PERIMETER-NAME
- PERIMETER-NAME is the name of the perimeter.
For example, the following describes the perimeter
gcloud alpha access-context-manager perimeters describe omniPerimeter
For more information about the
describe command, see
Managing service perimeters.
- Now that your external resources are protected, see Exporting query results to Amazon S3 or Exporting query results to Azure Storage.