Skip to content

Files

Latest commit

 

History

History
67 lines (51 loc) · 1.4 KB

google-bigquery-no-public-access.md

File metadata and controls

67 lines (51 loc) · 1.4 KB

Pattern: Use of public access for Google BigQuery dataset

Issue: -

Description

Using allAuthenticatedUsers provides any GCP user - even those outside of your organisation - access to your BigQuery dataset.

Resolution: Configure access permissions with higher granularity.

Examples

Example of incorrect code:

resource "google_bigquery_dataset" "bad_example" {
  dataset_id                  = "example_dataset"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "EU"
  default_table_expiration_ms = 3600000

  labels = {
    env = "default"
  }

  access {
    role          = "OWNER"
    special_group = "allAuthenticatedUsers"
  }

  access {
    role   = "READER"
    domain = "hashicorp.com"
  }
}

Example of correct code:

resource "google_bigquery_dataset" "good_example" {
  dataset_id                  = "example_dataset"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "EU"
  default_table_expiration_ms = 3600000

  labels = {
    env = "default"
  }

  access {
    role          = "OWNER"
    user_by_email = google_service_account.bqowner.email
  }

  access {
    role   = "READER"
    domain = "hashicorp.com"
  }
}

resource "google_service_account" "bqowner" {
  account_id = "bqowner"
}