Control access to Dataform with IAM

Predefined Dataform roles

The following table lists the predefined roles that give you access to Dataform resources:

Custom Dataform roles

Custom roles can include any permissions that you specify. You can create custom roles that include permissions to perform specific administrative operations, like creating development workspaces or creating files and directories within a development workspace. To create custom roles, see Creating and managing custom roles.

Security considerations for Dataform permissions

Any user who has the dataform.repositories.create permission can execute code in BigQuery using the default Dataform service account and all permissions granted to that service account. This includes execution of Dataform SQL workflows.

The dataform.repositories.create permissions is included in the following IAM roles:

• BigQuery Studio User (roles/bigquery.studioUser)
• Code Creator (roles/dataform.codeCreator)
• Code Editor (roles/dataform.codeEditor)
• Code Owner (roles/dataform.codeOwner)
• Colab Enterprise User (roles/aiplatform.colabEnterpriseUser)
• Dataform Admin (roles/dataform.admin)

To restrict the data that a user or service account can read or write in BigQuery, you can grant granular BigQuery IAM permissions to selected BigQuery datasets or tables. For more information, see Controlling access to datasets and Controlling access to tables and views.

For more information about the default Dataform service account and the roles and permissions it requires, see Grant Dataform required access.

Before you begin

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Make sure that billing is enabled for your Google Cloud project.

4. Enable the BigQuery and Dataform APIs.

   Enable the APIs

5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

6. Make sure that billing is enabled for your Google Cloud project.

7. Enable the BigQuery and Dataform APIs.

   Enable the APIs

View Dataform roles

Within the Google Cloud console, perform the following steps:

1. Go to the IAM & Admin > Roles page.

   Go to Roles

2. In the Filter field, select Used in, type Dataform, and then press Enter.

3. Click one of the listed roles to view the permissions of the role in the right pane.

   For example, the Dataform Admin role has full access to all Dataform resources.

For more information about granting a role on a project, see Grant a role. You can grant predefined or custom roles in this way.

Control access to an individual repository

To control access to Dataform with granular permissions, you can set Dataform IAM roles on individual repositories by using the Dataform API repositories.setIamPolicy request.

To set Dataform IAM roles on an individual Dataform repository, follow these steps:

1. In the terminal, pass the Dataform API repositories.setIamPolicy request with an access policy.

2. In the policy, bind a user, group, domain, or service account to a selected role in the following format:

   {
   "policy":
      {
         "bindings": [
         {
            "role": "roles/ROLE",
            "members": [
               "TYPE:IDENTIFIER",
            ]
         },
         ],
      }
   }
   

   Replace the following:

   • ROLE: a Dataform IAM role that you want to grant on the repository
   • TYPE: user, group, domain, or serviceAccount
   • IDENTIFIER: the user, group, domain, or service account that you want to grant the role to

3. In the IAM page, ensure that all users can view the full list of Dataform repositories through a Dataform role with the dataform.repositories.list permission.

4. In IAM, ensure that only users who require full access to all Dataform repositories are granted the Dataform Admin role on all repositories.

The following command passes the repositories.setIamPolicy Dataform API request that grants the Dataform Editor role on the sales repository to a single user:

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.editor", "members": ["user:sasha@examplepetstore.com"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

Grant public access to a repository

You can grant public access to a Dataform repository by granting IAM roles on the repository to the allAuthenticatedUsers principal.

When you assign an IAM role to the allAuthenticatedUsers principal, service accounts and all users on the internet who have authenticated with a Google Account are granted that role. This includes accounts that aren't connected to a Google Workspace account or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. For more information, see All authenticated users.

For example, when you grant the Dataform Viewer role to allAuthenticatedUsers on the sales repository, all service accounts and users on the internet who have authenticated with a Google Account have read-only access to all sales code resources.

To grant public access to a Dataform repository, follow these steps:

1. In the terminal, pass the Dataform API repositories.setIamPolicy request with an access policy.

2. In the policy, bind the allAuthenticatedUsers principal to a selected role in the following format:

   {
   "policy":
      {
         "bindings": [
         {
            "role": "roles/ROLE",
            "members": [
               "allAuthenticatedUsers",
            ]
         },
         ],
      }
   }
   

   Replace the following:

   • ROLE: a Dataform IAM role that you want to grant to all authenticated users.

The following command passes the repositories.setIamPolicy Dataform API request that grants the Dataform Viewer role on the sales repository to allAuthenticatedUsers:

curl -H "Content-Type: application/json" -X POST -d '{ "policy": { "bindings": [{ "role": "roles/dataform.viewer", "members": ["allAuthenticatedUsers"]}] }}' "https://dataform.googleapis.com/v1beta1/projects/examplepetstore/locations/us-central1/repositories/sales:setIamPolicy"

Prevent public access to repositories

To ensure that no access is granted to the public on any Dataform repository, you can restrict the allAuthenticatedUsers principal in your project.

To restrict allAuthenticatedUsers in your project, you can set the iam.allowedPolicyMemberDomains policy, and remove allAuthenticatedUsers from the list of allowed_values.

When you restrict allAuthenticatedUsers in the iam.allowedPolicyMemberDomains policy, the allAuthenticatedUsers principal cannot be used in any IAM policy in your project, which prevents granting public access to all resources, including Dataform repositories.

For more information about the iam.allowedPolicyMemberDomains policy and also instructions to set it, see Restricting identities by domain.

Workforce identity federation in Dataform

Workforce identity federation lets you use an external identity provider (IdP) to authenticate and authorize users to Google Cloud services with IAM.

Dataform supports workforce identity federation with no known limitations.

What's next

• To learn more about IAM, see IAM overview.
• To learn more about roles and permissions, see Understanding roles.
• To learn more about managing access to resources, see Manage access to projects, folders, and organizations.
• To learn how to grant BigQuery roles to tables in Dataform, see Control access to individual tables with IAM.
• To learn more about the key concepts of workforce identity federation, see Workforce identity federation.