Getting started with Looker

Best Practices

Documentation

Community

Training

Certification

Articles in this section

See more

How do BigQuery OAuth connections work with GCP IAM? (Community)

Avatar
Looker Support
Follow

View the original community article here

Last tested: Jun 26, 2020
 

BigQuery customers have the option of using OAuth for BigQuery connections. (The other option is service accounts). These connections are "directly integrated" with GCP Identity and Access Management (IAM). This provides user-level authentication (OAuth) and authorization (IAM). Every query is run as if that user was running the same SQL when directly logged in to the BQ console.

Key features and constraints of OAuth + IAM

  1. Using OAuth as the authentication mechanism ensures that IAM permissions are enforced per user.
  2. Every query is run as if that user was running the same SQL after they logged in to the BQ console.
  3. Examples of per-user security controls include:
    1. Only having access to the correct datasets
    2. Only having access to the correct authorized views
      1. Applying row level controls implemented using authorized views
  4. Per-user caches are available
  5. Per-user BQ resource limits are available
  6. PDTs and shared caches are disabled under per-user authentication

 

This content is subject to limited support.