[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eVPC Service Controls adds a security perimeter to guard against data exfiltration for Google Cloud services, including Dataform.\u003c/p\u003e\n"],["\u003cp\u003eTo utilize VPC Service Controls with Dataform, the \u003ccode\u003edataform.restrictGitRemotes\u003c/code\u003e organization policy must be set, and Dataform and BigQuery must be within the same service perimeter.\u003c/p\u003e\n"],["\u003cp\u003eReviewing and adjusting permissions for Dataform service accounts is important when setting up a VPC Service Controls perimeter, as certain permissions could allow data access outside the perimeter.\u003c/p\u003e\n"],["\u003cp\u003eCommunication between Dataform and BigQuery or Secret Manager can be optionally blocked by revoking specific permissions from the Dataform service accounts, depending on the organization's needs.\u003c/p\u003e\n"],["\u003cp\u003eYou can either create a new service perimeter for Dataform and BigQuery, or add Dataform to an existing perimeter that already restricts BigQuery.\u003c/p\u003e\n"]]],[],null,["# Configure VPC Service Controls\n\nVPC Service Controls is a Google Cloud feature\nthat lets you set up a perimeter that helps guard against data exfiltration.\nThis guide shows how to use VPC Service Controls with Dataform to\nhelp make your services more secure.\n\nVPC Service Controls provides an extra layer of defense for\nGoogle Cloud services that is independent of the protection provided by\nIdentity and Access Management (IAM).\n\nTo learn more about VPC Service Controls, see\n[Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nLimitations\n-----------\n\nDataform supports VPC Service Controls with the following\nlimitations:\n\n- You must set the\n [`dataform.restrictGitRemotes` organization policy](/dataform/docs/restrict-git-remotes).\n\n- Dataform and BigQuery must be restricted by the same\n VPC Service Controls service perimeter.\n\n- To allow specific users to authenticate with their Google Account user\n credentials when [scheduling runs](/dataform/docs/schedule-runs),\n [manually triggering runs](/dataform/docs/trigger-execution), or\n [running pipelines](/bigquery/docs/create-pipelines#run_a_pipeline) with\n VPC Service Controls configured, you need to add their user identities to your\n ingress rules. For more information, see\n [Updating ingress and egress policies for a service perimeter](/vpc-service-controls/docs/configuring-ingress-egress-policies#updating)\n and [Ingress rules reference](/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference).\n\n### Security considerations\n\nWhen you set up a VPC Service Controls perimeter for Dataform,\nyou should review permissions granted to your Dataform service\naccounts and ensure that they match your security architecture.\n\nDepending on the permissions that you grant to a Dataform service account,\nthat service account might have access to BigQuery or\nSecret Manager data in the project that service account belongs to,\nregardless of VPC Service Controls. In such a case,\nrestricting Dataform with a VPC Service Controls perimeter\ndoes not block communication with BigQuery or Secret Manager.\n\nYou should block communication with BigQuery if you don't need to\nrun any workflow invocations originating from your Dataform repositories.\nFor more information about blocking communication with\nBigQuery, see [Block communication with BigQuery](#block-bigquery).\n\nYou should block communication with Secret Manager if none of your\nDataform repositories connect to a third-party Git repository.\nFor more information about blocking communication with Secret Manager,\nsee [Block communication with Secret Manager](#block-secretmanager).\n\nBefore you begin\n----------------\n\nBefore you configure a VPC Service Controls service perimeter for\nDataform, follow the\n[Restrict remote repositories](/dataform/docs/restrict-git-remotes) guide\nto set the `dataform.restrictGitRemotes` organization policy.\n\nThe `dataform.restrictGitRemotes` organization policy is required to ensure\nthat VPC Service Controls checks are enforced when using\nDataform and that third-party access to Dataform Git\nrepositories is restricted.\n\n### Required roles\n\n\nTo get the permissions that\nyou need to configure a VPC Service Controls service perimeter,\n\nask your administrator to grant you the\n\n\n[Access Context Manager Editor](/iam/docs/roles-permissions/accesscontextmanager#accesscontextmanager.policyEditor) (`roles/accesscontextmanager.policyEditor`)\nIAM role on the project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nFor more information about VPC Service Controls permissions, see\n[Access control with IAM](/vpc-service-controls/docs/access-control).\n\nConfigure VPC Service Controls\n------------------------------\n\nYou can restrict Dataform with a VPC Service Controls service perimeter\nin the following ways:\n\n- Add Dataform to an existing service perimeter that restricts BigQuery.\n- Create a service perimeter that restricts both Dataform and BigQuery.\n\n| **Important:** Dataform and BigQuery must be restricted by the same service perimeter.\n\nTo add Dataform to a service perimeter that restricts\nBigQuery, follow the\n[Update a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#update)\nguide in the VPC Service Controls documentation.\n\nTo create a new service perimeter that restricts both\nDataform and BigQuery, follow the\n[Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters)\nguide in the VPC Service Controls documentation.\n\nOptional: Block communication with BigQuery\n-------------------------------------------\n\nThe way Dataform communicates with BigQuery depends on\nthe [type of service account used in Dataform](/dataform/docs/access-control#about-service-accounts).\n\nThe default Dataform service account uses the `bigquery.jobs.create`\npermission to communicate with BigQuery. You grant the default\nDataform service account roles that contain\nthis permission when you [grant the roles that are required for\nDataform to run workflows in BigQuery](/dataform/docs/access-control#grant-dataform-required-access).\n\nTo block communication between the default Dataform service account\nand BigQuery, you need to revoke all predefined and custom roles\nthat contain the `bigquery.jobs.create` permission, which have been granted to\nthe default Dataform service account. To revoke roles, follow the\n[Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access)\nguide.\n\ncustom Dataform service accounts use the following\npermissions and roles to communicate with BigQuery:\n\n- The`bigquery.jobs.create` permission, given to the custom service account.\n- The Service Account Token Creator (`roles/iam.serviceAccountTokenCreator`) role, granted to the default Dataform service account on the custom service account.\n\nYou can block communication between a custom Dataform service\naccount and BigQuery in either of the following ways:\n\n- Revoke the Service Account Token Creator (`roles/iam.serviceAccountTokenCreator`)\n role, granted to the default service account\n on the selected custom Dataform service account. To revoke the\n Service Account Token Creator (`roles/iam.serviceAccountTokenCreator`)\n role, follow the\n [Manage access to service accounts](/iam/docs/manage-access-service-accounts)\n guide.\n\n- Revoke all predefined and custom roles granted at the project level to the\n custom service account that contain the `bigquery.jobs.create`\n permission. To revoke roles, follow the\n [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access)\n guide.\n\nThe `bigquery.jobs.create` permission is included in the following\npredefined [BigQuery IAM roles](/bigquery/docs/access-control)\nthat must be revoked:\n\n- [BigQuery Admin (`roles/bigquery.admin`)](/bigquery/docs/access-control#bigquery.admin)\n- [BigQuery Job User (`roles/bigquery.jobUser`)](/bigquery/docs/access-control#bigquery.jobUser)\n- [BigQuery User (`roles/bigquery.user`)](/bigquery/docs/access-control#bigquery.user)\n- [BigQuery Studio Admin (`roles/bigquery.studioAdmin`)](/bigquery/docs/access-control#bigquery.studioAdmin)\n- [BigQuery Studio User (`roles/bigquery.studioUser`)](/bigquery/docs/access-control#bigquery.studioUser)\n\nOptional: Block communication with Secret Manager\n-------------------------------------------------\n\nDataform uses the `secretmanager.versions.access` permission to\naccess individual Secret Manager secrets. You give this permission\nto the default Dataform service account on a selected\nSecret Manager secret when you\n[connect a Dataform repository to a third-party repository](/dataform/docs/connect-repository).\n\nTo block communication between Dataform and Secret Manager,\nyou need to revoke access to all secrets from the default Dataform\nservice account.\n\nTo revoke access to a Secret Manager secret from the default\nDataform service account,\nfollow the [Manage access to secrets](/secret-manager/docs/manage-access-to-secrets)\nguide in the Secret Manager documentation. You must revoke all\npredefined and custom roles that contain the\n`secretmanager.versions.access` permission, granted to the default\nDataform service account on the selected secret.\n\nThe `secretmanager.versions.access` permission is included in the following\npredefined [Secret Manager IAM roles](/secret-manager/docs/access-control):\n\n- [Secret Manager Admin (`roles/secretmanager.admin`)](/secret-manager/docs/access-control#secretmanager.admin)\n- [Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)](/secret-manager/docs/access-control#secretmanager.secretAccessor)\n- [Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`)](/secret-manager/docs/access-control#secretmanager.secretVersionManager)\n\nWhat's next\n-----------\n\n- To learn more about VPC Service Controls, see [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n- To learn more about the Organization Policy, see [Introduction to the Organization Policy Service](/resource-manager/docs/organization-policy/overview).\n- To learn more about service accounts in Dataform, see [About service accounts in Dataform](/dataform/docs/access-control#about-service-accounts)."]]