Enabling credential vending mode for an existing catalog in the Google Cloud console configures Lakehouse for Apache Iceberg to vend short-lived, downscoped storage tokens to authorized query engines.
Within the Lakehouse runtime catalog, this authentication method eliminates the need for users to hold direct read and write permissions on the underlying Cloud Storage bucket.
Before you begin
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the BigLake API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
Required roles
To get the permissions that you need to enable credential vending in the Google Cloud console, ask your administrator to grant you the following IAM roles on your project:
- BigLake Admin (
roles/biglake.admin) - Storage Admin (
roles/storage.admin)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Enable credential vending
If the authentication method for your catalog is set to end-user credentials, you can switch it to credential vending mode.
In the Google Cloud console, open the Lakehouse page.
In the row of the catalog that you're updating, click More catalog actions > Edit authentication.
In the authentication dialog, select Credential vending mode.
Click Save.
Your catalog is updated and the Catalog details page opens.
Under Authentication method, click Set bucket permissions.
In the dialog, click Confirm.
This verifies that your catalog's service account has the Storage Object User role on your storage bucket.