Control access to Dataform with IAM

This document describes the access control options for Dataform and shows you how to view and grant Dataform roles. Dataform uses Identity and Access Management (IAM) for access control. For more information about roles and permissions in IAM, see Understanding roles and permissions.

Predefined Dataform roles

The following table lists the predefined roles that give you access to Dataform resources:

Role Permissions

(roles/dataform.admin)

Full access to all Dataform resources.

dataform.*

  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query
  • dataform.config.get
  • dataform.config.update
  • dataform.locations.get
  • dataform.locations.list
  • dataform.releaseConfigs.create
  • dataform.releaseConfigs.delete
  • dataform.releaseConfigs.get
  • dataform.releaseConfigs.list
  • dataform.releaseConfigs.update
  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update
  • dataform.workflowConfigs.create
  • dataform.workflowConfigs.delete
  • dataform.workflowConfigs.get
  • dataform.workflowConfigs.list
  • dataform.workflowConfigs.update
  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query
  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeCreator)

Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeEditor)

Edit access code resources.

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.commit

dataform.repositories.computeAccessTokenStatus

dataform.repositories.create

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.searchFiles

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeOwner)

Full access to code resources.

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.*

  • dataform.repositories.commit
  • dataform.repositories.computeAccessTokenStatus
  • dataform.repositories.create
  • dataform.repositories.delete
  • dataform.repositories.fetchHistory
  • dataform.repositories.fetchRemoteBranches
  • dataform.repositories.get
  • dataform.repositories.getIamPolicy
  • dataform.repositories.list
  • dataform.repositories.queryDirectoryContents
  • dataform.repositories.readFile
  • dataform.repositories.setIamPolicy
  • dataform.repositories.update

dataform.workspaces.*

  • dataform.workspaces.commit
  • dataform.workspaces.create
  • dataform.workspaces.delete
  • dataform.workspaces.fetchFileDiff
  • dataform.workspaces.fetchFileGitStatuses
  • dataform.workspaces.fetchGitAheadBehind
  • dataform.workspaces.get
  • dataform.workspaces.getIamPolicy
  • dataform.workspaces.installNpmPackages
  • dataform.workspaces.list
  • dataform.workspaces.makeDirectory
  • dataform.workspaces.moveDirectory
  • dataform.workspaces.moveFile
  • dataform.workspaces.pull
  • dataform.workspaces.push
  • dataform.workspaces.queryDirectoryContents
  • dataform.workspaces.readFile
  • dataform.workspaces.removeDirectory
  • dataform.workspaces.removeFile
  • dataform.workspaces.reset
  • dataform.workspaces.searchFiles
  • dataform.workspaces.setIamPolicy
  • dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeViewer)

Read-only access to all code resources.

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.searchFiles

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.editor)

Edit access to Workspaces and Read-only access to Repositories.

dataform.compilationResults.*

  • dataform.compilationResults.create
  • dataform.compilationResults.get
  • dataform.compilationResults.list
  • dataform.compilationResults.query

dataform.config.get

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.*

  • dataform.workflowInvocations.cancel
  • dataform.workflowInvocations.create
  • dataform.workflowInvocations.delete
  • dataform.workflowInvocations.get
  • dataform.workflowInvocations.list
  • dataform.workflowInvocations.query

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.searchFiles

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.viewer)

Read-only access to all Dataform resources.

dataform.compilationResults.get

dataform.compilationResults.list

dataform.compilationResults.query

dataform.config.get

dataform.locations.*

  • dataform.locations.get
  • dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.get

dataform.workflowInvocations.list

dataform.workflowInvocations.query

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.searchFiles

resourcemanager.projects.get

resourcemanager.projects.list

Custom Dataform roles

Custom roles can include any permissions that you specify. You can create custom roles that include permissions to perform specific administrative operations, like creating development workspaces or creating files and directories within a development workspace. To create custom roles, see Creating and managing custom roles.

Security considerations for Dataform permissions

Any user who has the dataform.repositories.create permission can execute code in BigQuery using the default Dataform service account and all permissions granted to that service account. This includes execution of Dataform SQL workflows.

The dataform.repositories.create permissions is included in the following IAM roles:

To restrict the data that a user or service account can read or write in BigQuery, you can grant granular BigQuery IAM permissions to selected BigQuery datasets or tables. For more information, see Controlling access to datasets and Controlling access to tables and views.

For more information about the default Dataform service account and the roles and permissions it requires, see Grant Dataform required access.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the BigQuery and Dataform APIs.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the BigQuery and Dataform APIs.

    Enable the APIs

View Dataform roles

Within the Google Cloud console, perform the following steps:

  1. Go to the IAM & Admin > Roles page.

    Go to Roles

  2. In the Filter field, select Used in, type Dataform, and then press Enter.

  3. Click one of the listed roles to view the permissions of the role in the right pane.

    For example, the Dataform Admin role has full access to all Dataform resources.

For more information about granting a role on a project, see Grant a role. You can grant predefined or custom roles in this way.

Control access to an individual repository

To control access to Dataform with granular permissions, you can set Dataform IAM roles on individual repositories by using the Dataform API repositories.setIamPolicy request.

To set Dataform IAM roles on an individual Dataform repository, follow these steps:

  1. In the terminal, pass the Dataform API repositories.setIamPolicy request with an access policy.

  2. In the policy, bind a user, group, domain, or service account to a selected role in the following format:

    {
    "policy":
       {
          "bindings": [
          {
             "role": "roles/ROLE",
             "members": [
                "TYPE:IDENTIFIER",
             ]
          },
          ],
       }
    }
    

    Replace the following:

    • ROLE: a Dataform IAM role that you want to grant on the repository
    • TYPE: user, group, domain, or serviceAccount
    • IDENTIFIER: the user, group, domain, or service account that you want to grant the role to
  3. In the IAM page, ensure that all users can view the full list of Dataform repositories through a Dataform role with the dataform.repositories.list permission.

  4. In IAM, ensure that only users who require full access to all Dataform repositories are granted the Dataform Admin role on all repositories.

The following command passes the repositories.setIamPolicy Dataform API request that grants the Dataform Editor role on the sales repository to a single user:

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.editor", "members": ["user:sasha@examplepetstore.com"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

Grant public access to a repository

You can grant public access to a Dataform repository by granting IAM roles on the repository to the allAuthenticatedUsers principal.

When you assign an IAM role to the allAuthenticatedUsers principal, service accounts and all users on the internet who have authenticated with a Google Account are granted that role. This includes accounts that aren't connected to a Google Workspace account or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. For more information, see All authenticated users.

For example, when you grant the Dataform Viewer role to allAuthenticatedUsers on the sales repository, all service accounts and users on the internet who have authenticated with a Google Account have read-only access to all sales code resources.

To grant public access to a Dataform repository, follow these steps:

  1. In the terminal, pass the Dataform API repositories.setIamPolicy request with an access policy.

  2. In the policy, bind the allAuthenticatedUsers principal to a selected role in the following format:

    {
    "policy":
       {
          "bindings": [
          {
             "role": "roles/ROLE",
             "members": [
                "allAuthenticatedUsers",
             ]
          },
          ],
       }
    }
    

    Replace the following:

    • ROLE: a Dataform IAM role that you want to grant to all authenticated users.

The following command passes the repositories.setIamPolicy Dataform API request that grants the Dataform Viewer role on the sales repository to allAuthenticatedUsers:

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.viewer", "members": ["allAuthenticatedUsers"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

Prevent public access to repositories

To ensure that no access is granted to the public on any Dataform repository, you can restrict the allAuthenticatedUsers principal in your project.

To restrict allAuthenticatedUsers in your project, you can set the iam.allowedPolicyMemberDomains policy, and remove allAuthenticatedUsers from the list of allowed_values.

When you restrict allAuthenticatedUsers in the iam.allowedPolicyMemberDomains policy, the allAuthenticatedUsers principal cannot be used in any IAM policy in your project, which prevents granting public access to all resources, including Dataform repositories.

For more information about the iam.allowedPolicyMemberDomains policy and also instructions to set it, see Restricting identities by domain.

Workforce identity federation in Dataform

Workforce identity federation lets you use an external identity provider (IdP) to authenticate and authorize users to Google Cloud services with IAM.

Dataform supports workforce identity federation with no known limitations.

What's next