Predefined Dataform roles
The following table lists the predefined roles that give you access to Dataform resources:
| Role | Permissions |
|---|---|
Dataform Admin( Full access to all Dataform resources. |
|
Code Creator( Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you. |
|
Code Editor( Edit access code resources. |
|
Code Owner( Full access to code resources. |
|
Code Viewer( Read-only access to all code resources. |
|
Dataform Editor( Edit access to Workspaces and Read-only access to Repositories. |
|
Dataform Viewer( Read-only access to all Dataform resources. |
|
Custom Dataform roles
Custom roles can include any permissions that you specify. You can create custom roles that include permissions to perform specific administrative operations, like creating development workspaces or creating files and directories within a development workspace. To create custom roles, see Creating and managing custom roles.
Security considerations for Dataform permissions
Any user who has the dataform.repositories.create
permission can execute code in BigQuery using the default Dataform service
account and all permissions granted to that service account. This includes execution
of Dataform SQL workflows.
The dataform.repositories.create permissions is included in the following
IAM roles:
- BigQuery Studio User (
roles/bigquery.studioUser) - Code Creator (
roles/dataform.codeCreator) - Code Editor (
roles/dataform.codeEditor) - Code Owner (
roles/dataform.codeOwner) - Colab Enterprise User (
roles/aiplatform.colabEnterpriseUser) - Dataform Admin (
roles/dataform.admin)
To restrict the data that a user or service account can read or write in BigQuery, you can grant granular BigQuery IAM permissions to selected BigQuery datasets or tables. For more information, see Controlling access to datasets and Controlling access to tables and views.
For more information about the default Dataform service account and the roles and permissions it requires, see Grant Dataform required access.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the BigQuery and Dataform APIs.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the BigQuery and Dataform APIs.
View Dataform roles
Within the Google Cloud console, perform the following steps:
Go to the IAM & Admin > Roles page.
In the Filter field, select Used in, type
Dataform, and then press Enter.Click one of the listed roles to view the permissions of the role in the right pane.
For example, the Dataform Admin role has full access to all Dataform resources.
For more information about granting a role on a project, see Grant a role. You can grant predefined or custom roles in this way.
Control access to an individual repository
To control access to Dataform with granular permissions,
you can set Dataform IAM roles on individual
repositories by using the Dataform API repositories.setIamPolicy request.
To set Dataform IAM roles on an individual Dataform repository, follow these steps:
In the terminal, pass the Dataform API
repositories.setIamPolicyrequest with an access policy.In the policy, bind a user, group, domain, or service account to a selected role in the following format:
{ "policy": { "bindings": [ { "role": "roles/ROLE", "members": [ "TYPE:IDENTIFIER", ] }, ], } }Replace the following:
ROLE: a Dataform IAM role that you want to grant on the repositoryTYPE:user,group,domain, orserviceAccountIDENTIFIER: the user, group, domain, or service account that you want to grant the role to
In the IAM page, ensure that all users can view the full list of Dataform repositories through a Dataform role with the
dataform.repositories.listpermission.In IAM, ensure that only users who require full access to all Dataform repositories are granted the Dataform Admin role on all repositories.
The following command passes the repositories.setIamPolicy Dataform API
request that grants the Dataform Editor role on the sales repository
to a single user:
curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.editor", "members": ["user:sasha@examplepetstore.com"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"
Grant public access to a repository
You can grant public access to a Dataform repository by granting
IAM roles on the repository to the allAuthenticatedUsers
principal.
When you assign an IAM role to the allAuthenticatedUsers principal,
service accounts and all users on the internet who have authenticated with a
Google Account are granted that role. This includes accounts that aren't
connected to a Google Workspace account or Cloud Identity domain,
such as personal Gmail accounts. Users who aren't authenticated,
such as anonymous visitors, aren't included. For more information, see
All authenticated users.
For example, when you grant the Dataform Viewer role to
allAuthenticatedUsers on the sales repository, all service accounts and
users on the internet who have authenticated with a Google Account have
read-only access to all sales code resources.
To grant public access to a Dataform repository, follow these steps:
In the terminal, pass the Dataform API
repositories.setIamPolicyrequest with an access policy.In the policy, bind the
allAuthenticatedUsersprincipal to a selected role in the following format:{ "policy": { "bindings": [ { "role": "roles/ROLE", "members": [ "allAuthenticatedUsers", ] }, ], } }Replace the following:
ROLE: a Dataform IAM role that you want to grant to all authenticated users.
The following command passes the repositories.setIamPolicy Dataform API
request that grants the Dataform Viewer role on the sales repository
to allAuthenticatedUsers:
curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.viewer", "members": ["allAuthenticatedUsers"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"
Prevent public access to repositories
To ensure that no access is granted to the public on any Dataform
repository, you can restrict the allAuthenticatedUsers principal in your project.
To restrict allAuthenticatedUsers in your project, you can
set the iam.allowedPolicyMemberDomains policy,
and remove allAuthenticatedUsers from the list of allowed_values.
When you restrict allAuthenticatedUsers in the iam.allowedPolicyMemberDomains
policy, the allAuthenticatedUsers principal cannot be used in any
IAM policy in your project, which prevents granting public access
to all resources, including Dataform repositories.
For more information about the iam.allowedPolicyMemberDomains policy
and also instructions to set it, see
Restricting identities by domain.
Workforce identity federation in Dataform
Workforce identity federation lets you use an external identity provider (IdP) to authenticate and authorize users to Google Cloud services with IAM.
Dataform supports workforce identity federation with no known limitations.
What's next
- To learn more about IAM, see IAM overview.
- To learn more about roles and permissions, see Understanding roles.
- To learn more about managing access to resources, see Manage access to projects, folders, and organizations.
- To learn how to grant BigQuery roles to tables in Dataform, see Control access to individual tables with IAM.
- To learn more about the key concepts of workforce identity federation, see Workforce identity federation.