You can now use tags on BigQuery tables to conditionally grant or deny access with Identity and Access Management (IAM) policies. This feature is generally available. Tags can also be attached to BigQuery datasets during creation to control access.
Tags and IAM Policies
- Tags: Key-value pairs attached to tables or datasets, or inherited from other Google Cloud resources.
- Conditional Policies: Policies can be conditionally applied based on the presence of specific tags. For example, the BigQuery Data Viewer role can be conditionally granted on datasets with the
environment:devtag.
Example Use Case
If you are an organization administrator and your data analysts are part of the analysts@example.com group with the BigQuery Data Viewer role on the userData project, you can use tags to control access for a new data analyst intern to only view the anonymousData dataset.
Limitations
- Unsupported Tables: Tags are not supported on BigQuery Omni tables, hidden datasets, or temporary tables.
- Cross-Region Queries: Tags are not used in access control checks for cross-region queries in BigQuery Omni.
- Tag Limits: A maximum of 50 tags can be attached to a dataset or table.
- Wildcard Queries: Conditional access for tagged tables is not considered in wildcard queries.
- Service Limitations: Some services outside BigQuery cannot verify IAM tag conditions properly. Positive tag conditions may result in denied access, and negative tag conditions may not be checked.
For more details on creating tags, visit the BigQuery help center.
