Within Google Cloud Lakehouse, you use the Lakehouse runtime catalog to manage metadata for your Lakehouse Iceberg REST catalog tables stored in Cloud Storage.
This document explains how to get and set Identity and Access Management (IAM) policies at
the table level to control access to these resources using the gcloud CLI.
How credential vending works
When you use credential vending, the query processing sequence changes slightly to enforce policies before data is read:
- Request: A user submits a SQL query to a supported engine (for example, Apache Spark).
- Metadata lookup: The engine sends a request to the Lakehouse runtime catalog to resolve the table.
- Authentication and policy: The catalog authenticates the user and checks their IAM permissions on the Google Cloud Lakehouse resources.
- Response: Because credential vending is enabled, the catalog returns the metadata and a short-lived storage token (downscoped storage credentials) to the engine.
- Read: The engine uses this token to read the specific authorized files directly from Cloud Storage.
- Compute: The engine processes the data and returns the results.
Supported catalogs
Credential vending is supported when you use the Apache Iceberg REST catalog endpoint in Google Cloud Lakehouse. When you set up a catalog in credential vending mode, your client application must be configured to request the downscoped credentials by specifying the access delegation.
The Custom Iceberg catalog for BigQuery endpoint does not support credential vending.
What's next
- Learn how to create a catalog in credential vending mode.
- Learn how to enable credential vending for an existing catalog using the Google Cloud console.
- Learn how to configure your client application for credential vending.