By default, all Google Cloud projects come with a single user, the original project creator. No other users have access to the project and, therefore, to Lakehouse resources, until a user is added as a project member or is bound to a specific resource.
This page explains how to add new users to your project and set access control for your Google Cloud Lakehouse resources.
What is IAM?
Google Cloud offers Identity and Access Management (IAM), which lets you grant more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources within * Lakehouse*.
IAM also lets you control who (an identity) has what permissions
(roles) for which resources by setting IAM policies.
IAM policies grant specific roles to a project member, which
gives the identity certain permissions. For example, for a given resource, such
as a project, you can assign the roles/biglake.admin role to a Google Account
and that account can control Lakehouse resources in the project,
but cannot manage other resources. You can also use IAM to manage
the basic roles granted to project team members.
Access control options for users
To let users create and manage your Lakehouse resources, you can add them as team members to your project or to specific resources and grant them permissions using IAM roles.
A team member can be an individual user with a valid Google Account, a Google Group, a service account, or a Google Workspace domain. When you add a team member to a project or to a resource, you specify which roles to grant them. IAM provides three types of roles: predefined roles, basic roles, and custom roles.
To see a list of the capabilities of each Lakehouse role and the API methods that a specific role grants permission to, see Lakehouse IAM roles.
For other member types, such as service accounts and groups, see the Policy binding reference.
Service accounts
When you call Lakehouse APIs to perform actions in a project
where your service is located, Lakehouse performs these actions
on your behalf by using a per-catalog Service Agent service
account.
These service accounts are used by the Lakehouse runtime catalog and are
granted the roles/biglake.serviceAgent role on your project.
IAM policies for resources
You can grant access to Lakehouse resources by attaching IAM policies directly to those resources, such as a Lakehouse service. An IAM policy lets you manage IAM roles on those resources instead of, or in addition to, managing roles at the project level. This gives you flexibility to apply the principle of least privilege, which is to grant access only to the specific resources that collaborators need to do their work.
Resources also inherit the policies of their parent resources. If you set a policy at the project level, it's inherited by all its child resources. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from higher up in the hierarchy. For more information, see the IAM policy hierarchy.
You can get and set IAM policies using the Google Cloud console, the Identity and Access Management API, or the Google Cloud CLI.
- For the Google Cloud console, see Access control with the Google Cloud console.
- For the API, see Access control via the API.
- For the Google Cloud CLI, see Access control with the Google Cloud CLI.
What's next
- Learn more about Lakehouse IAM roles.
- Learn how to set policies at a project level.