BigQuery IAM 角色和权限

本文档介绍了 BigQuery 的 Identity and Access Management (IAM) 角色和权限。 IAM 可让您授予对特定 BigQuery 资源的精细访问权限,并有助于防止对其他资源的访问。借助 IAM,您可以应用最小权限安全原则,该原则要求任何人都不应拥有超出实际所需数量的权限。

主账号(用户、群组或服务账号)调用 Google Cloud API 时,该主账号必须具有适当的 IAM 权限才能使用资源。如需向主账号授予所需的权限,您可以向主账号授予 IAM 角色。

本文档介绍如何使用预定义和自定义 IAM 角色来允许主账号访问 BigQuery 资源。

如需大致了解 Google Cloud 中的访问权限管理,请参阅 IAM 概览

IAM 角色类型

一个角色对应一组权限。您可以使用 IAM 中以下类型的角色来提供对 BigQuery 资源的访问权限:

  • 预定义角色由 Google Cloud 管理,并支持常见应用场景和访问权限控制模式。
  • 自定义角色根据用户指定的权限列表提供访问权限。

如需确定角色中是否包含一项或多项权限,您可以使用以下方法之一:

向用户分配多个角色类型时,授予的权限是每个角色所拥有权限的并集。

如需详细了解如何使用 IAM 访问资源,请参阅 IAM 文档中的授予、更改和撤消对资源的访问权限

如需了解如何创建自定义角色,请参阅 IAM 文档中的创建和管理自定义角色

BigQuery 中的 IAM 角色

权限不会直接分配给用户、群组或服务账号。用户、群组或服务账号会被授予一个或多个预定义角色或自定义角色,以获得对资源执行操作所需的权限。

您可以在以下 BigQuery 资源级别授予访问权限:

  • 组织、文件夹或项目
  • 连接
  • 数据集
  • 表或视图
  • 政策标记、行访问权限政策或 BigQuery 数据政策

在组织或 Google Cloud 项目级应用的角色

如果在组织级和项目级分配角色,您需要提供运行 BigQuery 作业或访问项目的所有 BigQuery 资源所需的权限。

在数据集级应用的角色

您可以在数据集级分配角色,以提供对特定数据集的访问权限,而无需提供对项目资源的完整访问权限。在 IAM 资源层次结构中,BigQuery 数据集是项目的子资源。如需详细了解如何在数据集级分配角色,请参阅控制对数据集的访问权限

应用于数据集内单个资源的角色

您可以单独为数据集内特定类型的资源分配角色,而无需提供对数据集资源的完整访问权限。

角色可以应用于以下类型的单个资源:

  • 视图

角色无法应用于以下类型的单个资源:

  • routines
  • models

如需详细了解如何在表或视图级分配角色,请参阅控制对表或视图的访问权限

BigQuery 预定义的 IAM 角色

下表列出了预定义的 BigQuery IAM 角色以及每个角色包含的所有权限的列表。请注意,每个权限适用于特定资源类型。

Role Permissions

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

  • Datasets
  • Row access policies
  • Tables
  • Views

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.config.*

  • bigquery.config.get
  • bigquery.config.update

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.jobs.*

  • bigquery.jobs.create
  • bigquery.jobs.delete
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.jobs.update

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.update

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

  • bigquery.savedqueries.create
  • bigquery.savedqueries.delete
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.savedqueries.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag

bigquery.transfers.*

  • bigquery.transfers.get
  • bigquery.transfers.update

bigquerymigration.translation.translate

dataform.*

  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query
  • dataform.config.get
  • dataform.config.update
  • dataform.locations.get
  • dataform.locations.list
  • dataform.releaseConfigs.create
  • dataform.releaseConfigs.delete
  • dataform.releaseConfigs.get
  • dataform.releaseConfigs.list
  • dataform.releaseConfigs.update
  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update
  • dataform.workflowConfigs.create
  • dataform.workflowConfigs.delete
  • dataform.workflowConfigs.get
  • dataform.workflowConfigs.list
  • dataform.workflowConfigs.update
  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query
  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.connectionAdmin)

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

(roles/bigquery.connectionUser)

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

bigquery.rowAccessPolicies.getFilteredData

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

  • Project

bigquery.config.get

bigquery.jobs.create

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

Lowest-level resources where you can grant this role:

  • Project

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceAdmin)

Administers BigQuery workloads, including slot assignments, commitments, and reservations.

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.update

recommender.bigqueryCapacityCommitmentsInsights.*

  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceEditor)

Manages BigQuery workloads, but is unable to create or modify slot commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceViewer)

Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.studioAdmin)

Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.

aiplatform.notebookRuntimeTemplates.*

  • aiplatform.notebookRuntimeTemplates.apply
  • aiplatform.notebookRuntimeTemplates.create
  • aiplatform.notebookRuntimeTemplates.delete
  • aiplatform.notebookRuntimeTemplates.get
  • aiplatform.notebookRuntimeTemplates.getIamPolicy
  • aiplatform.notebookRuntimeTemplates.list
  • aiplatform.notebookRuntimeTemplates.setIamPolicy
  • aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

  • aiplatform.notebookRuntimes.assign
  • aiplatform.notebookRuntimes.delete
  • aiplatform.notebookRuntimes.get
  • aiplatform.notebookRuntimes.list
  • aiplatform.notebookRuntimes.start
  • aiplatform.notebookRuntimes.update
  • aiplatform.notebookRuntimes.upgrade

aiplatform.operations.list

bigquery.bireservations.*

  • bigquery.bireservations.get
  • bigquery.bireservations.update

bigquery.capacityCommitments.*

  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update

bigquery.config.*

  • bigquery.config.get
  • bigquery.config.update

bigquery.connections.*

  • bigquery.connections.create
  • bigquery.connections.delegate
  • bigquery.connections.delete
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.connections.update
  • bigquery.connections.updateTag
  • bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

  • bigquery.datasets.create
  • bigquery.datasets.createTagBinding
  • bigquery.datasets.delete
  • bigquery.datasets.deleteTagBinding
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.link
  • bigquery.datasets.listEffectiveTags
  • bigquery.datasets.listSharedDatasetUsage
  • bigquery.datasets.listTagBindings
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • bigquery.datasets.updateTag

bigquery.jobs.*

  • bigquery.jobs.create
  • bigquery.jobs.delete
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.jobs.update

bigquery.models.*

  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.models.updateTag

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.*

  • bigquery.reservationAssignments.create
  • bigquery.reservationAssignments.delete
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search

bigquery.reservations.*

  • bigquery.reservations.create
  • bigquery.reservations.delete
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.reservations.update

bigquery.routines.*

  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

  • bigquery.savedqueries.create
  • bigquery.savedqueries.delete
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.savedqueries.update

bigquery.tables.*

  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.createTagBinding
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.deleteTagBinding
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.listEffectiveTags
  • bigquery.tables.listTagBindings
  • bigquery.tables.replicateData
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.setCategory
  • bigquery.tables.setColumnDataPolicy
  • bigquery.tables.setIamPolicy
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag

bigquery.transfers.*

  • bigquery.transfers.get
  • bigquery.transfers.update

bigquerymigration.translation.translate

compute.reservations.get

compute.reservations.list

dataform.*

  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query
  • dataform.config.get
  • dataform.config.update
  • dataform.locations.get
  • dataform.locations.list
  • dataform.releaseConfigs.create
  • dataform.releaseConfigs.delete
  • dataform.releaseConfigs.get
  • dataform.releaseConfigs.list
  • dataform.releaseConfigs.update
  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update
  • dataform.workflowConfigs.create
  • dataform.workflowConfigs.delete
  • dataform.workflowConfigs.get
  • dataform.workflowConfigs.list
  • dataform.workflowConfigs.update
  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query
  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.studioUser)

Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

bigquery.config.get

bigquery.jobs.create

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

  • Dataset

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquerydatapolicy.admin)

Role for managing Data Policies in BigQuery

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.maskedGet

(roles/bigquerydatapolicy.rawDataReader)

Raw read access to sub-resources associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.getRawData

(roles/bigquerydatapolicy.viewer)

Role for viewing Data Policies in BigQuery

bigquery.dataPolicies.get

bigquery.dataPolicies.list

BigQuery 的自定义 IAM 角色

如需为 BigQuery 创建自定义 IAM 角色,请按照使用 BigQuery 权限IAM 自定义角色概述的步骤执行操作。

BigQuery 基本角色

如需了解 BigQuery 基本角色,请参阅 BigQuery 基本角色和权限

BigQuery 权限

下表介绍了 BigQuery 中提供的权限。 这些角色包含在预定义角色中,可用于自定义角色定义。

权限 说明
bigquery.bireservations.get 读取 BI Engine 预留。
bigquery.bireservations.update 更新 BI Engine 预留。
bigquery.capacityCommitments.create 在项目中创建容量承诺。
bigquery.capacityCommitments.delete 删除容量承诺。
bigquery.capacityCommitments.get 检索容量承诺的相关详细信息。
bigquery.capacityCommitments.list 列出项目中的所有容量承诺。
bigquery.capacityCommitments.update 更新项目中的所有容量承诺。
bigquery.config.update 创建配置。
bigquery.config.get 获取有关配置的详细信息。
bigquery.connections.create 在项目中创建新连接。
bigquery.connections.delete 删除连接。
bigquery.connections.get 获取连接元数据。不包括凭据。
bigquery.connections.list 列出项目中的连接。
bigquery.connections.update 更新连接及其凭据。
bigquery.connections.updateTag

更新连接的标记。

bigquery.connections.use 使用连接配置连接到远程数据源。
bigquery.connections.delegate 委托连接以创建授权的外部表和远程函数。
bigquery.dataPolicies.create

创建新的数据政策。

bigquery.dataPolicies.delete

删除数据政策。

bigquery.dataPolicies.get

获取数据政策的相关元数据。

bigquery.dataPolicies.getIamPolicy

读取数据政策的 IAM 权限。

bigquery.dataPolicies.list

列出项目中的数据政策。

bigquery.dataPolicies.maskedGet

查看具有与数据政策关联的政策标记的列的遮盖数据。

bigquery.dataPolicies.setIamPolicy

设置数据政策的 IAM 权限。

bigquery.dataPolicies.update

更新数据政策的元数据。

bigquery.datasets.create 新建空数据集。
bigquery.datasets.createTagBinding 创建数据集的资源标记绑定。
bigquery.datasets.delete 删除数据集。
bigquery.datasets.deleteTagBinding 删除数据集的资源标记绑定。
bigquery.datasets.get 获取数据集的元数据和权限。在 Google Cloud 控制台中查看权限还需要 bigquery.datasets.getIamPolicy 权限。
bigquery.datasets.getIamPolicy Google Cloud 控制台需要此权限才能让用户选择获取数据集的 IAM 权限。应急开启。能否真正执行获取权限的操作是由 bigquery.datasets.get 权限控制的。
bigquery.datasets.link 创建关联数据集
bigquery.datasets.listTagBindings 列出数据集的资源标记绑定。
bigquery.datasets.setIamPolicy Google Cloud 控制台需要此权限才能让用户选择设置数据集的 IAM 权限。应急开启。能否真正执行设置权限的操作是由 bigquery.datasets.update 权限控制的。
bigquery.datasets.update 更新数据集的元数据和权限。在 Google Cloud 控制台中授予权限也需要 bigquery.datasets.setIamPolicy 权限。
bigquery.datasets.updateTag 更新数据集的 Data Catalog 标记
bigquery.jobs.create 在项目中运行作业(包括查询作业)。
bigquery.jobs.get 获取任何作业的数据和元数据。1
bigquery.jobs.list 列出所有作业,并检索任何用户所提交任何作业的相关元数据。 对于由其他用户提交的作业,详细信息和元数据会被遮盖。
bigquery.jobs.listAll 列出所有作业,并检索任何用户所提交任何作业的相关元数据。
bigquery.jobs.listExecutionMetadata 列出任何用户所提交的任何作业的所有作业执行元数据(无敏感信息)。它只能在组织级层应用,并由管理界面使用。
bigquery.jobs.delete 删除作业的元数据。
bigquery.jobs.update 取消任何作业。1
bigquery.models.create 创建新的机器学习模型
bigquery.models.delete 删除机器学习模型
bigquery.models.getData 获取机器学习模型数据。如需获取模型元数据,您需要拥有 bigquery.models.getMetadata 权限。
bigquery.models.getMetadata 获取机器学习模型元数据。如需获取模型数据,您需要拥有 bigquery.models.getData 权限。
bigquery.models.list 列出机器学习模型和模型元数据。
bigquery.models.updateData 更新机器学习模型数据。如需更新模型元数据,您需要拥有 bigquery.models.updateMetadata 权限。
bigquery.models.updateMetadata 更新机器学习模型元数据。如需更新模型数据,您需要拥有 bigquery.models.updateData 权限。
bigquery.models.export 导出机器学习模型
bigquery.models.updateTag 更新模型的 Data Catalog 标记
bigquery.readsessions.create 使用 Storage Read API 创建新的读取会话。
bigquery.readsessions.getData 使用 Storage Read API 从读取会话读取数据。
bigquery.readsessions.update 使用 Storage Read API 更新读取会话。
bigquery.reservations.create 在管理项目中创建槽预留
bigquery.reservations.delete 删除槽预留
bigquery.reservations.get 检索有关槽预留的详细信息。
bigquery.reservations.list 列出管理项目中的所有槽预留
bigquery.reservations.update 更新槽预留的属性。
bigquery.reservationAssignments.create

创建预留分配。 所有者项目和分配对象资源需要此权限。
要迁移预留分配,您需要拥有新所有者项目和分配对象资源的 bigquery.reservationAssignments.create 权限。

bigquery.reservationAssignments.delete

删除预留分配。 需要所有者项目和分配对象资源上的此权限。
如需移除预留分配,您需要现有所有者项目和分配对象资源的 bigquery.reservationAssignments.delete 权限。

bigquery.reservationAssignments.list 列出项目中的所有预留分配
bigquery.reservationAssignments.search 查找指定项目、文件夹或组织的预留分配
bigquery.rowAccessPolicies.create 为表创建新的行级层访问权限政策。
bigquery.rowAccessPolicies.delete 从表中删除行级层访问权限政策。
bigquery.rowAccessPolicies.getFilteredData 获取表中您希望只对行级层访问权限政策被授权者列表的主账号可见的数据。我们建议仅授予行级层访问权限政策资源上的此权限。
bigquery.rowAccessPolicies.list 列出表中的所有行级层访问权限政策。
bigquery.rowAccessPolicies.overrideTimeTravelRestrictions 访问现在具有或以前具有行级访问政策的表的历史数据
bigquery.rowAccessPolicies.getIamPolicy 获取行访问权限政策的 IAM 权限。
bigquery.rowAccessPolicies.setIamPolicy 设置行访问权限政策的 IAM 权限。
bigquery.rowAccessPolicies.update 重新创建行级层访问权限政策。
bigquery.routines.create 创建新例程(函数和存储过程)。
bigquery.routines.delete 删除例程。
bigquery.routines.get 获取例程定义和元数据。
bigquery.routines.list 列出例程及其元数据。
bigquery.routines.update

更新例程定义和元数据。

bigquery.routines.updateTag

更新例程的 Data Catalog 标记

bigquery.savedqueries.create 创建已保存的查询。
bigquery.savedqueries.delete 删除已保存的查询。
bigquery.savedqueries.get 获取已保存查询的元数据。
bigquery.savedqueries.list 列出已保存的查询
bigquery.savedqueries.update 更新已保存的查询。
bigquery.tables.create 新建表。
bigquery.tables.createIndex 在表上创建搜索索引。
bigquery.tables.createSnapshot 创建新的表快照。
bigquery.tables.createTagBinding 创建表的资源标记绑定。
bigquery.tables.delete 删除表。
bigquery.tables.deleteIndex 删除表上的搜索索引。
bigquery.tables.deleteSnapshot 删除表快照。
bigquery.tables.deleteTagBinding 删除表的资源标记绑定。
bigquery.tables.export 从 BigQuery 导出表数据。
bigquery.tables.get 获取表元数据。
如需获取表数据,您需要拥有 bigquery.tables.getData 权限。
bigquery.tables.getData 获取表数据。查询表数据需要此权限。
如需获取表元数据,您需要拥有 bigquery.tables.get 权限。
bigquery.tables.getIamPolicy 读取表的 IAM 政策。
bigquery.tables.list 列出表及其元数据。
bigquery.tables.listEffectiveTags 使用 Cloud Resource Manager API 列出有效标记绑定。使用 --effective 标志时处于选中状态。
bigquery.tables.listTagBindings 使用 Cloud Resource Manager API 列出标记绑定
bigquery.tables.replicateData 复制表数据。创建副本具体化视图需要此权限。
bigquery.tables.restoreSnapshot 恢复表快照。
bigquery.tables.setCategory 设置表架构中的政策标记。
bigquery.tables.setIamPolicy 更改表的 IAM 政策。
bigquery.tables.update

更新表元数据。
如需更新表数据,您需要拥有 bigquery.tables.updateData 权限。

bigquery.tables.updateData

更新表数据。
如需更新表元数据,您需要拥有 bigquery.tables.update 权限。

bigquery.tables.updateTag 更新表的 Data Catalog 标记
bigquery.transfers.get 获取转移作业元数据。
bigquery.transfers.update 创建、更新和删除传输。

1 对于您创建的任何作业,系统将会自动为您分配该作业的 bigquery.jobs.getbigquery.jobs.update 权限。

BigQuery ML 任务的权限

下表介绍了执行常见 BigQuery ML 任务所需的权限。

权限 说明
bigquery.jobs.create
bigquery.models.create
bigquery.models.getData
bigquery.models.updateData
使用 CREATE MODEL 语句创建新模型
bigquery.jobs.create
bigquery.models.create
bigquery.models.getData
bigquery.models.updateData
bigquery.models.updateMetadata
使用 CREATE OR REPLACE MODEL 语句替换现有模型
bigquery.models.delete 使用 models.delete API 删除模型
bigquery.jobs.create
bigquery.models.delete
使用 DROP MODEL 语句删除模型
bigquery.models.getMetadata 使用 models.get API 获取模型元数据
bigquery.models.list 使用 models.list API 列出模型和模型上的元数据
bigquery.models.updateMetadata 使用 models.delete API 更新模型元数据。如果为模型设置或更新非零到期时间,还需要 bigquery.models.delete 权限。
bigquery.jobs.create
bigquery.models.getData
使用 ML.EVALUATEML.PREDICTML.TRAINING_INFOML.WEIGHTS 等函数执行评估、预测以及模型和特征检查。
bigquery.jobs.create
bigquery.models.export
导出模型
bigquery.models.updateTag 更新模型的 Data Catalog 标记

后续步骤