By default, all Google Cloud projects come with a single user, the original project creator. No other users have access to the project and, therefore, to BigLake resources, until a user is added as a project member or is bound to a specific resource.
This page explains how to add new users to your project and set access control for your BigLake resources.
What is IAM?
Google Cloud offers Identity and Access Management (IAM), which lets you grant more granular access to specific Google Cloud resources and prevents unwanted access to other resources. Identity and Access Management (IAM) lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM also lets you control who (an identity) has what permissions (roles)
for which resources by setting IAM policies. IAM
policies grant specific roles to a project member, which gives the identity certain
permissions. For example, for a given resource, such as a project, you can
assign the roles/biglake.admin role to a Google Account and that account can
control BigLake resources in the project, but cannot
manage other resources. You can also use IAM to manage the basic
roles granted to project team members.
Access control options for users
To let users create and manage your BigLake resources, you can add them as team members to your project or to specific resources and grant them permissions using IAM roles.
A team member can be an individual user with a valid Google Account, a Google Group, a service account, or a Google Workspace domain. When you add a team member to a project or to a resource, you specify which roles to grant them. IAM provides three types of roles: predefined roles, basic roles, and custom roles.
To see a list of the capabilities of each BigLake role and the API methods that a specific role grants permission to, see BigLake IAM roles.
For other member types, such as service accounts and groups, see the Policy binding reference.
Service accounts
When you call BigLake APIs to perform actions in a project where your service is located, BigLake performs these actions on your behalf by using a Service Agent service account that has the required permissions.
The following service account has the required permissions to perform BigLake actions in the project where your service is located:
blirc-PROJECT_NUMBER-IDENTIFIER@gcp-sa-biglakerestcatalog.iam.gserviceaccount.com.
This service account is granted the roles/biglake.serviceAgent role on your project.
IAM policies for resources
You can grant access to BigLake resources by attaching IAM policies directly to those resources, such as a BigLake service. An IAM policy lets you manage IAM roles on those resources instead of, or in addition to, managing roles at the project level. This gives you flexibility to apply the principle of least privilege, which is to grant access only to the specific resources that collaborators need to do their work.
Resources also inherit the policies of their parent resources. If you set a policy at the project level, it's inherited by all its child resources. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from higher up in the hierarchy. For more information, see the IAM policy hierarchy.
You can get and set IAM policies using the Google Cloud console, the Identity and Access Management API, or the Google Cloud CLI.
- For the Google Cloud console, see Access control via the Google Cloud console.
- For the API, see Access control via the API.
- For the Google Cloud CLI, see Access control via the Google Cloud CLI.
What's next
- Learn more about IAM roles.
- Learn how to set policies at a project level.