Update BigQuery connector documentation

[SemionPar]

Description

Add a section on project ID resolution.

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

## Section
* Fix some things. ({issue}`issuenumber`)

[SemionPar]

I have one more thing I am considering adding here.

Use case - cross project service accounts, aspect - PTF functions.

Little on the use case and how to setup service accounts in this way:

• https://cloud.google.com/eventarc/docs/use-cross-project-service-account (in context on another GCP service, but seems relevant)

By default, you can't create an IAM service account in one Google Cloud project and attach it to a resource in another project. However, you might have centralized the service accounts for your organization in separate projects, which can make the service accounts easier to manage. This document outlines the steps required to support attaching a service account in one project to an Eventarc trigger in another project.

• https://www.cloudquery.io/blog/creating-cross-project-service-accounts-in-gcp

Illustration

Setup

I did some testing with 3 Google Cloud projects

Projects:

• base-30275 - 'parent' project
• data-1-13082, data-2-644 - 'data' projects

Service accounts:

• base-30275-service-account-34@base-30275.iam.gserviceaccount.com
  • lives in base-30275,
  • has BigQueryUser access to base-30275, data-2-644
• base-30275-no-bq@base-30275.iam.gserviceaccount.com
  • lives in base-30275,
  • has BigQueryUser access to data-2-644 and data-1-13082, BUT NOT TO base-30275,
• data-2-bq@data-2-644.iam.gserviceaccount.com
  • lives in data-2-644,
  • has BigQueryUser access to data-2-644

Findings

• PTF query will execute with service account permissions, regardless of the bigquery.parent-project-id or bigquery.project-id

This makes it possible to access ALL BigQuery resources that this service account has permissions to:

-Dtesting.bigquery.parent-project-id=data-2-644         <--------------- data project id set as parent project
-Dtesting.bigquery.project-id=data-2-644
-Dtesting.bigquery.credentials-key=base-30275-service-account-34@base-30275.iam.gserviceaccount.com

-- access to data project:
  SELECT * FROM TABLE(bigquery.system.query(query => 'SELECT schema_name FROM `data-2-644.region-us.INFORMATION_SCHEMA.SCHEMATA`'));
-- access to parent project:
  SELECT * FROM TABLE(bigquery.system.query(query => 'SELECT schema_name FROM `base-30275.region-us.INFORMATION_SCHEMA.SCHEMATA`'));
-- OK                                                   <--------------- has access because service account has permissions in parent
-- access to another data project:
  SELECT * FROM TABLE(bigquery.system.query(query => 'SELECT schema_name FROM `data-1-13082.region-us.INFORMATION_SCHEMA.SCHEMATA`'));
-- OK                                                   <--------------- has access because service account has permissions in other data project as well

If, however, used with service account that has no BigQuery permissions in the parent project, access is denied:

-Dtesting.bigquery.parent-project-id=data-2-644
-Dtesting.bigquery.project-id=data-2-644
-Dtesting.bigquery.credentials-key=base-30275-service-account-34@base-30275.iam.gserviceaccount.com

-- access to data project:
  SELECT * FROM TABLE(bigquery.system.query(query => 'SELECT schema_name FROM `data-2-644.region-us.INFORMATION_SCHEMA.SCHEMATA`'));
-- access to parent project:
  SELECT * FROM TABLE(bigquery.system.query(query => 'SELECT schema_name FROM `base-30275.region-us.INFORMATION_SCHEMA.SCHEMATA`'));
-- Failed to get destination table for query. Access Denied: Table base-30275:region-us. INFORMATION_SCHEMA. SCHEMATA: User does not have permission to query table base-30275:region-us. INFORMATION_SCHEMA. SCHEMATA, or perhaps it does not exist.

Summary

If a BigQuery catalog is configured with an SA JSON key and a project ID, then through PTF, one effectively gains access to all BigQuery projects that the service account has permissions for.

Ultimately, do we want to mention this in the documentation?

[hashhar]

Great job demystifying this.

Everyone was so confused for so long and wasn't able to figure out how or why it works.

[mosabua]

Overall we might want to rename the section since it seems all about billing ... also since it seems pretty critical we might want to add an anchor and link to it from the configs for each of these properties with a "see also .."

[mosabua]

Somewhere we need to link to some sort docs from BigQuery that explains more about the project ID ideally .. maybe right here

[SemionPar]

Fine idea! I am having trouble finding any relevant documentation on this topic that is more than a brief mention in the BigQuery section of Google Cloud docs. There are some third party sources like https://productresources.collibra.com/docs/collibra/latest/Content/DataQuality/DBConnection/ta_bigquery-cross-account-dataset-access.htm

We could have a reference to a general cross project SA page like this one instead, WDYT? https://cloud.google.com/iam/docs/attach-service-accounts#attaching-different-project

[mosabua]

Maybe use this link https://cloud.google.com/resource-manager/docs/creating-managing-projects .. it explicitly explains Project ID

[SemionPar]

I went ahead and added a sentence, please edit as you see fit

[mosabua]

Link the project ID to the link I found

[mosabua]

With regards to the query table function and it being a potential security issue.. thats already documented in a generic fashion .. adding more details specific to BigQuery would also be good.

[SemionPar]

Thank you for reviews @hashhar @mosabua!

Applied the changes and pushed, PTAL

[SemionPar]

Thank you @mosabua!

Gave it another try, PTAL

[hashhar]

LGTM % nits

[SemionPar]

Thank you @mosabua!

Gave it another try, PTAL

Sorry, forgot to actually push my latest changes yesterday... All pushed now

[mosabua]

A few nits .. then ready to go ... ping me after last push and I can merge

[mosabua]

Suggested change

	data in multiple GCP projects, you need to create several catalogs, each
	data in multiple GCP projects, you must create several catalogs, each

[mosabua]

Suggested change

	The BigQuery connector can only access a single GCP project. Thus, if you have
	The BigQuery connector can only access a single GCP project. If you have

[mosabua]

Fix wrapping in this paragraph to 80 char .. currently its weird

[mosabua]

Suggested change

	the project to query and the project to be billed for BigQuery operations.
	the project to query and the project to bill for BigQuery operations.

[findinpath]

@mosabua pls go ahead and change the wording yourself - seems straightforward.

[mosabua]

@mosabua pls go ahead and change the wording yourself - seems straightforward.

I don't have time for that until Friday