Data Catalog resource projects

To use Data Catalog, you must enable the Data Catalog API in a Google Cloud project that contains the resources you will create in Data Catalog or access in other Google Cloud systems with the API. We refer to this project as the Data Catalog "resource project".

In the common case, if you have only one project, you only need to enable the Data Catalog API in it to access all the resources it contains. The Data Catalog quickstart is an example of the creation of a project that has the Data Catalog API enabled and contains a BigQuery table you access as well as a Data Catalog tag template and tag.

Using tag templates in multiple projects

Everything in a Google Cloud lives in a project, including your tag templates. However, you can use tag templates from one project to create tags in another if you authorize the other project to use the templates. To do this, use the TagTemplate Owner, Creator, User, and Viewer IAM roles.

For example: If project A grants the TagTemplate User role to a service account owned by project B, this authorizes project B to create tags using its templates. Project A can also authorize the same service account to modify the created tags using the Tag Editor role.

If project A does not authorize project B, project B cannot tag its own data resources using project A's tag templates—it must create its own templates.

Best practice: Create templates in a central project if they are relevant to more than one project. Also, your data governance team should own the shared tag templates and maintain them on behalf of the organization.

Identifying the Data Catalog resource project

The following table lists Data Catalog APIs and the associated resources project(s) in which the Data Catalog API must be enabled.

Data Catalog APIs Resource project Notes
get/lookup/search service account project If the X-Goog-User-Project is specified in the HTTP/gRPC Header, also enable the Data Catalog API in the user project to enable quota and billing against the X-Goog-User-Project instead of the service account.
create/update/delete project identified by the /project-id/ in the API request resource parameter Exceptions: see createTag/updateTag/deleteTag in the next row.
createTag/updateTag/deleteTag tag template container project Since the Data Catalog API was enabled in tag template container project when the template was created, no further action is needed to call these APIs. Note: The project identified by the parent parameter for the tag and the tag template used to create the tag must be from the same organization.

Notes:

  • service account project: the project in which you have generated service account credentials to authenticate your application code.

  • resource parameter: the parameter passed in the API request that identifies the resource associated with the request (for example, see project-id in the tagTemplates.create parent parameter).

What's next