Control access to resources with IAM

This document describes how to view the current access policy of a resource, how to grant access to a resource, and how to revoke access to a resource.

This document assumes familiarity with the Identity and Access Management (IAM) system in Google Cloud.

Required roles

To get the permissions that you need to modify IAM policies for resources, ask your administrator to grant you the BigQuery Data Owner (roles/bigquery.dataOwner) IAM role on the project. For more information about granting roles, see Manage access.

This predefined role contains the permissions required to modify IAM policies for resources. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

To get a dataset's access policy: bigquery.datasets.get
To set a dataset's access policy: bigquery.datasets.update
To get a dataset's access policy (Google Cloud console only): bigquery.datasets.getIamPolicy
To set a dataset's access policy (console only): bigquery.datasets.setIamPolicy
To get a table or view's policy: bigquery.tables.getIamPolicy
To set a table or view's policy: bigquery.tables.setIamPolicy
To create bq tool or SQL BigQuery jobs (optional): bigquery.jobs.create

You might also be able to get these permissions with custom roles or other predefined roles.

View the access policy of a resource

The following sections describe how to view the access policies of different resources.

View the access policy of a dataset

Select one of the following options:

Console

Go to the BigQuery page.

Go to BigQuery
In the Explorer pane, expand your project and select a dataset.
Click Sharing > Permissions.

The dataset access policies appear in the Dataset Permissions pane.

bq

To get an existing policy and output it to a local file in JSON, use the bq show command in Cloud Shell:

bq show \
    --format=prettyjson \
    PROJECT_ID:DATASET > PATH_TO_FILE

Replace the following:

PROJECT_ID: your project ID
DATASET: the name of your dataset
PATH_TO_FILE: the path to the JSON file on your local machine

API

To apply access controls when the dataset is created, call datasets.insert with a defined dataset resource. To update your access controls, call datasets.patch and use the access property in the Dataset resource.

Because the datasets.update method replaces the entire dataset resource, datasets.patch is the preferred method for updating access controls.

View the access policy of a table or view

Select one of the following options:

Console

Go to the BigQuery page.

Go to BigQuery
In the Explorer pane, expand your project and select a table or view.
Click Share.

The table or view access policies appear in the Share pane.

bq

To get an existing access policy and output it to a local file in JSON, use the bq get-iam-policy command in Cloud Shell:

bq get-iam-policy \
    --table=true \
    PROJECT_ID:DATASET.RESOURCE > PATH_TO_FILE

Replace the following:

PROJECT_ID: your project ID
DATASET: the name of your dataset
RESOURCE: the name of the table or view whose policy you want to view
PATH_TO_FILE: the path to the JSON file on your local machine

API

To retrieve the current policy, call the tables.getIamPolicy method.

Grant access to a resource

The following sections describe how to grant access to different resources.

Grant access to a dataset

Select one of the following options:

Console

Go to the BigQuery page.

Go to BigQuery
In the Explorer pane, expand your project and select a dataset to share.
Click Sharing > Permissions.
Click Add principal.
In the New principals field, enter a principal.
In the Select a role list, select a predefined role or a custom role.
Click Save.
To return to the dataset info, click Close.

SQL

To grant principals access to datasets, use the GRANT DCL statement:

In the Google Cloud console, go to the BigQuery page.

Go to BigQuery
In the query editor, enter the following statement:
```
GRANT ROLE_LIST
ON RESOURCE_TYPE RESOURCE_NAME
TO "USER_LIST"
```
Replace the following:
- ROLE_LIST: a role or list of comma-separated roles that you want to grant
- RESOURCE_TYPE: the type of resource that the role is applied to
  
  Supported values include SCHEMA (equivalent to dataset), TABLE, VIEW, and EXTERNAL TABLE.
- RESOURCE_NAME: the name of the resource that you want to grant the permission on
- USER_LIST: a comma-separated list of users that the role is granted to
  
  For a list of valid formats, see user_list.
Click Run.

For more information about how to run queries, see Running interactive queries.

bq

To write the existing dataset information (including access controls) to a JSON file, use the bq show command:
```
bq show \
   --format=prettyjson \
   PROJECT_ID:DATASET > PATH_TO_FILE
```
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of your dataset
- PATH_TO_FILE: the path to the JSON file on your local machine

Make changes to the access section of the JSON file. You can add to any of the specialGroup entries: projectOwners, projectWriters, projectReaders, and allAuthenticatedUsers. You can also add any of the following: userByEmail, groupByEmail, and domain.

For example, the access section of a dataset's JSON file would look like the following:

{
 "access": [
  {
   "role": "READER",
   "specialGroup": "projectReaders"
  },
  {
   "role": "WRITER",
   "specialGroup": "projectWriters"
  },
  {
   "role": "OWNER",
   "specialGroup": "projectOwners"
  },
  {
   "role": "READER",
   "specialGroup": "allAuthenticatedUsers"
  },
  {
   "role": "READER",
   "domain": "domain_name"
  },
  {
   "role": "WRITER",
   "userByEmail": "user_email"
  },
  {
   "role": "READER",
   "groupByEmail": "group_email"
  }
 ],
 ...
}

When your edits are complete, use the bq update command and include the JSON file using the --source flag. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format: PROJECT_ID:DATASET.

Caution: When you apply the JSON file that contains the access controls, the existing access controls are overwritten.
```
bq update \
--source PATH_TO_FILE \
PROJECT_ID:DATASET
```
To verify your access control changes, use the bq show command again without writing the information to a file:
```
bq show --format=prettyjson PROJECT_ID:DATASET
```

API

To apply access controls when the dataset is created, call the datasets.insert method with a defined dataset resource. To update your access controls, call the datasets.patch method and use the access property in the Dataset resource.

Because the datasets.update method replaces the entire dataset resource, datasets.patch is the preferred method for updating access controls.

Go

Before trying this sample, follow the Go setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Go API reference documentation.

View on GitHub Feedback

import (
	"context"
	"fmt"

	"cloud.google.com/go/bigquery"
)

// updateDatasetAccessControl demonstrates how the access control policy of a dataset
// can be amended by adding an additional entry corresponding to a specific user identity.
func updateDatasetAccessControl(projectID, datasetID string) error {
	// projectID := "my-project-id"
	// datasetID := "mydataset"
	ctx := context.Background()
	client, err := bigquery.NewClient(ctx, projectID)
	if err != nil {
		return fmt.Errorf("bigquery.NewClient: %v", err)
	}
	defer client.Close()

	ds := client.Dataset(datasetID)
	meta, err := ds.Metadata(ctx)
	if err != nil {
		return err
	}
	// Append a new access control entry to the existing access list.
	update := bigquery.DatasetMetadataToUpdate{
		Access: append(meta.Access, &bigquery.AccessEntry{
			Role:       bigquery.ReaderRole,
			EntityType: bigquery.UserEmailEntity,
			Entity:     "sample.bigquery.dev@gmail.com"},
		),
	}

	// Leverage the ETag for the update to assert there's been no modifications to the
	// dataset since the metadata was originally read.
	if _, err := ds.Update(ctx, update, meta.ETag); err != nil {
		return err
	}
	return nil
}

Java

Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.bigquery.Acl;
import com.google.cloud.bigquery.Acl.Role;
import com.google.cloud.bigquery.Acl.User;
import com.google.cloud.bigquery.BigQuery;
import com.google.cloud.bigquery.BigQueryException;
import com.google.cloud.bigquery.BigQueryOptions;
import com.google.cloud.bigquery.Dataset;
import java.util.ArrayList;

public class UpdateDatasetAccess {

  public static void main(String[] args) {
    // TODO(developer): Replace these variables before running the sample.
    String datasetName = "MY_DATASET_NAME";
    // Create a new ACL granting the READER role to "sample.bigquery.dev@gmail.com"
    // For more information on the types of ACLs available see:
    // https://cloud.google.com/storage/docs/access-control/lists
    Acl newEntry = Acl.of(new User("sample.bigquery.dev@gmail.com"), Role.READER);

    updateDatasetAccess(datasetName, newEntry);
  }

  public static void updateDatasetAccess(String datasetName, Acl newEntry) {
    try {
      // Initialize client that will be used to send requests. This client only needs to be created
      // once, and can be reused for multiple requests.
      BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();

      Dataset dataset = bigquery.getDataset(datasetName);

      // Get a copy of the ACLs list from the dataset and append the new entry
      ArrayList<Acl> acls = new ArrayList<>(dataset.getAcl());
      acls.add(newEntry);

      bigquery.update(dataset.toBuilder().setAcl(acls).build());
      System.out.println("Dataset Access Control updated successfully");
    } catch (BigQueryException e) {
      System.out.println("Dataset Access control was not updated \n" + e.toString());
    }
  }
}

Python

Before trying this sample, follow the Python setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Python API reference documentation.

Set the dataset.access_entries property with the access controls for a dataset. Then call the client.update_dataset() function to update the property.

View on GitHub Feedback


# TODO(developer): Set dataset_id to the ID of the dataset to fetch.
dataset_id = "your-project.your_dataset"

# TODO(developer): Set entity_id to the ID of the email or group from whom
# you are adding access. Alternatively, to the JSON REST API representation
# of the entity, such as a view's table reference.
entity_id = "user-or-group-to-add@example.com"

from google.cloud.bigquery.enums import EntityTypes

# TODO(developer): Set entity_type to the type of entity you are granting access to.
# Common types include:
#
# * "userByEmail" -- A single user or service account. For example "fred@example.com"
# * "groupByEmail" -- A group of users. For example "example@googlegroups.com"
# * "view" -- An authorized view. For example
#       {"projectId": "p", "datasetId": "d", "tableId": "v"}
#
# For a complete reference, see the REST API reference documentation:
# https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets#Dataset.FIELDS.access
entity_type = EntityTypes.GROUP_BY_EMAIL

# TODO(developer): Set role to a one of the "Basic roles for datasets"
# described here:
# https://cloud.google.com/bigquery/docs/access-control-basic-roles#dataset-basic-roles
role = "READER"

from google.cloud import bigquery

# Construct a BigQuery client object.
client = bigquery.Client()

dataset = client.get_dataset(dataset_id)  # Make an API request.

entries = list(dataset.access_entries)
entries.append(
    bigquery.AccessEntry(
        role=role,
        entity_type=entity_type,
        entity_id=entity_id,
    )
)
dataset.access_entries = entries

dataset = client.update_dataset(dataset, ["access_entries"])  # Make an API request.

full_dataset_id = "{}.{}".format(dataset.project, dataset.dataset_id)
print(
    "Updated dataset '{}' with modified user permissions.".format(full_dataset_id)
)

Grant access to a table or view

Select one of the following options:

Console

Go to the BigQuery page.

Go to BigQuery
In the Explorer pane, expand your project and select a table or view to share.
Click Share.
Click Add principal.
In the New principals field, enter a principal.
In the Select a role list, select a predefined role or a custom role.
Click Save.
To return to the table or view details, click Close.

SQL

To grant principals access to tables or views, use the GRANT DCL statement:

In the Google Cloud console, go to the BigQuery page.

Go to BigQuery
In the query editor, enter the following statement:
```
GRANT ROLE_LIST
ON RESOURCE_TYPE RESOURCE_NAME
TO "USER_LIST"
```
Replace the following:
- ROLE_LIST: a role or list of comma-separated roles that you want to grant
- RESOURCE_TYPE: the type of resource that the role is applied to
  
  Supported values include SCHEMA (equivalent to dataset), TABLE, VIEW, and EXTERNAL TABLE.
- RESOURCE_NAME: the name of the resource that you want to grant the permission on
- USER_LIST: a comma-separated list of users that the role is granted to
  
  For a list of valid formats, see user_list.
Click Run.

For more information about how to run queries, see Running interactive queries.

bq

To write the existing table or view information (including access controls) to a JSON file, use the bq get-iam-policy command:
```
bq get-iam-policy \
   PROJECT_ID:DATASET.TABLE_OR_VIEW \
   > PATH_TO_FILE
```
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of the dataset that contains the table or view that you want to update
- TABLE_OR_VIEW: the name of the resource to update
- PATH_TO_FILE: the path to the JSON file on your local machine
Caution: When you set the policy, always retrieve the current policy as a first step to obtain the current value for etag. Your updated policy file must include the same value for etag as the current policy you are replacing, or the update fails. This feature prevents concurrent updates from occurring.

In the policy file, the value for version remains 1. This version number refers to the IAM policy schema version, not the version of the policy. The value for etag is the policy version number.

{
 "access": [
  {
   "role": "READER",
   "specialGroup": "projectReaders"
  },
  {
   "role": "WRITER",
   "specialGroup": "projectWriters"
  },
  {
   "role": "OWNER",
   "specialGroup": "projectOwners"
  },
  {
   "role": "READER",
   "specialGroup": "allAuthenticatedUsers"
  },
  {
   "role": "READER",
   "domain": "domain_name"
  },
  {
   "role": "WRITER",
   "userByEmail": "user_email"
  },
  {
   "role": "READER",
   "groupByEmail": "group_email"
  }
 ],
 ...
}

Use the set-iam-policy command to update the policy:

bq set-iam-policy \
    PROJECT_ID:DATASET.TABLE_OR_VIEW \
    > PATH_TO_FILE

To verify your access control changes, use the bq get-iam-policy command again without writing the information to a file:
```
bq get-iam-policy --format=prettyjson \
    PROJECT_ID:DATASET.TABLE_OR_VIEW
```

API

To retrieve the current policy, call the tables.getIamPolicy method.
Edit the policy to add members and/or bindings. For the format required for the policy, see the Policy reference topic.

Caution: When you set the policy, always retrieve the current policy as a first step to obtain the current value for etag. Your updated policy file must include the same value for etag as the current policy you are replacing, or the update fails. This feature prevents concurrent updates from occurring.

In the policy file, the value for version remains 1. This version number refers to the IAM policy schema version, not the version of the policy. The value for etag is the policy version number.

Java

Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.Identity;
import com.google.cloud.Policy;
import com.google.cloud.Role;
import com.google.cloud.bigquery.BigQuery;
import com.google.cloud.bigquery.BigQueryException;
import com.google.cloud.bigquery.BigQueryOptions;
import com.google.cloud.bigquery.TableId;

// Sample to create iam policy for table
public class CreateIamPolicy {

  public static void main(String[] args) {
    // TODO(developer): Replace these variables before running the sample.
    String datasetName = "MY_DATASET_NAME";
    String tableName = "MY_TABLE_NAME";
    createIamPolicy(datasetName, tableName);
  }

  public static void createIamPolicy(String datasetName, String tableName) {
    try {
      // Initialize client that will be used to send requests. This client only needs to be created
      // once, and can be reused for multiple requests.
      BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();

      TableId tableId = TableId.of(datasetName, tableName);

      Policy policy = bigquery.getIamPolicy(tableId);
      policy
          .toBuilder()
          .addIdentity(Role.of("roles/bigquery.dataViewer"), Identity.allUsers())
          .build();
      bigquery.setIamPolicy(tableId, policy);
      System.out.println("Iam policy created successfully");
    } catch (BigQueryException e) {
      System.out.println("Iam policy was not created. \n" + e.toString());
    }
  }
}

Revoke access to a resource

The following sections describe how to revoke access to different resources.

Revoke access to a dataset

Select one of the following options:

Console

Go to the BigQuery page.

Go to BigQuery
In the Explorer panel, expand your project and select a dataset.
In the details panel, click Sharing > Permissions.
In the Dataset Permissions dialog, expand the principal whose access you want to revoke.
Click Remove principal.
In the Remove role from principal? dialog, click Remove.
To return to dataset details, click Close.

SQL

To remove access to datasets from principals, use the REVOKE DCL statement:

In the Google Cloud console, go to the BigQuery page.

Go to BigQuery
In the query editor, enter the following statement:
```
REVOKE ROLE_LIST
ON RESOURCE_TYPE RESOURCE_NAME
TO "USER_LIST"
```
Replace the following:
- ROLE_LIST: a role or list of comma-separated roles that you want to revoke
- RESOURCE_TYPE: the type of resource that the role is revoked from
  
  Supported values include SCHEMA (equivalent to dataset), TABLE, VIEW, and EXTERNAL TABLE.
- RESOURCE_NAME: the name of the resource that you want to revoke permission on
- USER_LIST: a comma-separated list of users who will have their roles revoked
  
  For a list of valid formats, see user_list.
Click Run.

For more information about how to run queries, see Running interactive queries.

bq

To write the existing dataset information (including access controls) to a JSON file, use the bq show command:
```
bq show \
  --format=prettyjson \
  PROJECT_ID:DATASET > PATH_TO_FILE
```
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of your dataset
- PATH_TO_FILE: the path to the JSON file on your local machine

Make changes to the access section of the JSON file. You can remove any of the specialGroup entries: projectOwners, projectWriters, projectReaders, and allAuthenticatedUsers. You can also remove any of the following: userByEmail, groupByEmail, and domain.

For example, the access section of a dataset's JSON file would look like the following:

{
 "access": [
  {
   "role": "READER",
   "specialGroup": "projectReaders"
  },
  {
   "role": "WRITER",
   "specialGroup": "projectWriters"
  },
  {
   "role": "OWNER",
   "specialGroup": "projectOwners"
  },
  {
   "role": "READER",
   "specialGroup": "allAuthenticatedUsers"
  },
  {
   "role": "READER",
   "domain": "domain_name"
  },
  {
   "role": "WRITER",
   "userByEmail": "user_email"
  },
  {
   "role": "READER",
   "groupByEmail": "group_email"
  }
 ],
 ...
}

When your edits are complete, use the bq update command and include the JSON file using the --source flag. If the dataset is in a project other than your default project, add the project ID to the dataset name in the following format: PROJECT_ID:DATASET.

Caution: When you apply the JSON file that contains the access controls, the existing access controls are overwritten.
```
bq update \
    --source PATH_TO_FILE \
    PROJECT_ID:DATASET
```
To verify your access control changes, use the show command again without writing the information to a file:
```
bq show --format=prettyjson PROJECT_ID:DATASET
```

API

Call datasets.patch and use the access property in the Dataset resource to update your access controls.

Because the datasets.update method replaces the entire dataset resource, datasets.patch is the preferred method for updating access controls.

Go

Before trying this sample, follow the Go setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Go API reference documentation.

View on GitHub Feedback

import (
	"context"
	"fmt"

	"cloud.google.com/go/bigquery"
)

// revokeDatasetAccess updates the access control on a dataset to remove all
// access entries that reference a specific entity.
func revokeDatasetAccess(projectID, datasetID, entity string) error {
	// projectID := "my-project-id"
	// datasetID := "mydataset"
	// entity := "user@mydomain.com"
	ctx := context.Background()
	client, err := bigquery.NewClient(ctx, projectID)
	if err != nil {
		return fmt.Errorf("bigquery.NewClient: %v", err)
	}
	defer client.Close()

	ds := client.Dataset(datasetID)
	meta, err := ds.Metadata(ctx)
	if err != nil {
		return err
	}

	var newAccessList []*bigquery.AccessEntry
	for _, entry := range meta.Access {
		if entry.Entity != entity {
			newAccessList = append(newAccessList, entry)
		}
	}

	// Only proceed with update if something in the access list was removed.
	// Additionally, we use the ETag from the initial metadata to ensure no
	// other changes were made to the access list in the interim.
	if len(newAccessList) < len(meta.Access) {

		update := bigquery.DatasetMetadataToUpdate{
			Access: newAccessList,
		}
		if _, err := ds.Update(ctx, update, meta.ETag); err != nil {
			return err
		}
	}
	return nil
}

Python

Before trying this sample, follow the Python setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Python API reference documentation.

Set the dataset.access_entries property with the access controls for a dataset. Then call the client.update_dataset() function to update the property.

View on GitHub Feedback


# TODO(developer): Set dataset_id to the ID of the dataset to fetch.
dataset_id = "your-project.your_dataset"

# TODO(developer): Set entity_id to the ID of the email or group from whom you are revoking access.
entity_id = "user-or-group-to-remove@example.com"

from google.cloud import bigquery

# Construct a BigQuery client object.
client = bigquery.Client()

dataset = client.get_dataset(dataset_id)  # Make an API request.

entries = list(dataset.access_entries)
dataset.access_entries = [
    entry for entry in entries if entry.entity_id != entity_id
]

dataset = client.update_dataset(
    dataset,
    # Update just the `access_entries` property of the dataset.
    ["access_entries"],
)  # Make an API request.

full_dataset_id = f"{dataset.project}.{dataset.dataset_id}"
print(f"Revoked dataset access for '{entity_id}' to ' dataset '{full_dataset_id}.'")

Revoke access to a table or view

Select one of the following options:

Console

Go to the BigQuery page.

Go to BigQuery
In the Explorer panel, expand your project and select a table or view.
In the details panel, click Share.
In the Share dialog, expand the principal whose access you want to revoke.
Click Delete.
In the Remove role from principal? dialog, click Remove.
To return to the table or view details, click Close.

SQL

To remove access to tables or views from principals, use the REVOKE DCL statement:

In the Google Cloud console, go to the BigQuery page.

Go to BigQuery
In the query editor, enter the following statement:
```
REVOKE ROLE_LIST
ON RESOURCE_TYPE RESOURCE_NAME
TO "USER_LIST"
```
Replace the following:
- ROLE_LIST: a role or list of comma-separated roles that you want to revoke
- RESOURCE_TYPE: the type of resource that the role is revoked from
  
  Supported values include SCHEMA (equivalent to dataset), TABLE, VIEW, and EXTERNAL TABLE.
- RESOURCE_NAME: the name of the resource that you want to revoke permission on
- USER_LIST: a comma-separated list of users who will have their roles revoked
  
  For a list of valid formats, see user_list.
Click Run.

For more information about how to run queries, see Running interactive queries.

bq

To write the existing table or view information (including access controls) to a JSON file, use the bq get-iam-policy command:
```
bq get-iam-policy \
   PROJECT_ID:DATASET.TABLE_OR_VIEW \
   > PATH_TO_FILE
```
Replace the following:
- PROJECT_ID: your project ID
- DATASET: the name of the dataset that contains the table or view that you want to update
- TABLE_OR_VIEW: the name of the resource to update
- PATH_TO_FILE: the path to the JSON file on your local machine
  
  Caution: When you set the policy, always retrieve the current policy as a first step to obtain the current value for etag. Your updated policy file must include the same etag value as the current policy that you are replacing, or the update fails. This feature prevents concurrent updates from occurring.
  
  In the policy file, the value for version remains 1. This number refers to the IAM policy schema version, not the version of the policy. The value for etag value is the policy version number.

{
 "access": [
  {
   "role": "READER",
   "specialGroup": "projectReaders"
  },
  {
   "role": "WRITER",
   "specialGroup": "projectWriters"
  },
  {
   "role": "OWNER",
   "specialGroup": "projectOwners"
  },
  {
   "role": "READER",
   "specialGroup": "allAuthenticatedUsers"
  },
  {
   "role": "READER",
   "domain": "domain_name"
  },
  {
   "role": "WRITER",
   "userByEmail": "user_email"
  },
  {
   "role": "READER",
   "groupByEmail": "group_email"
  }
 ],
 ...
}

Use bq set-iam-policy command to update the policy:

 bq set-iam-policy \
     PROJECT_ID:DATASET.TABLE_OR_VIEW \
     > PATH_TO_FILE

To verify your access control changes, use the get-iam-policy command again without writing the information to a file:
```
bq get-iam-policy --format=prettyjson \
    PROJECT_ID:DATASET.TABLE_OR_VIEW
```

API

To retrieve the current policy, call the tables.getIamPolicy method.
Edit the policy to remove members and/or bindings. For the format required for the policy, see the Policy reference topic.

Caution: When you set the policy, always retrieve the current policy as a first step to obtain the current value for etag. Your updated policy file must include the same value for etag as the current policy you are replacing, or the update fails. This feature prevents concurrent updates from occurring.

In the policy file, the value for version remains 1. This version number refers to the IAM policy schema version, not the version of the policy. The value for etag is the policy version number.
Call tables.setIamPolicy to write the updated policy. Note: Empty bindings with no members are not allowed and result in an error.

Java

Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.Identity;
import com.google.cloud.Policy;
import com.google.cloud.Role;
import com.google.cloud.bigquery.BigQuery;
import com.google.cloud.bigquery.BigQueryException;
import com.google.cloud.bigquery.BigQueryOptions;
import com.google.cloud.bigquery.TableId;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;

// Sample to update iam policy in table
public class UpdateIamPolicy {

  public static void main(String[] args) {
    // TODO(developer): Replace these variables before running the sample.
    String datasetName = "MY_DATASET_NAME";
    String tableName = "MY_TABLE_NAME";
    updateIamPolicy(datasetName, tableName);
  }

  public static void updateIamPolicy(String datasetName, String tableName) {
    try {
      // Initialize client that will be used to send requests. This client only needs to be created
      // once, and can be reused for multiple requests.
      BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();

      TableId tableId = TableId.of(datasetName, tableName);

      Policy policy = bigquery.getIamPolicy(tableId);
      Map<Role, Set<Identity>> binding = new HashMap<>(policy.getBindings());
      binding.remove(Role.of("roles/bigquery.dataViewer"));

      policy.toBuilder().setBindings(binding).build();
      bigquery.setIamPolicy(tableId, policy);

      System.out.println("Iam policy updated successfully");
    } catch (BigQueryException e) {
      System.out.println("Iam policy was not updated. \n" + e.toString());
    }
  }
}