google-cloud-platformviewgoogle-bigquerygoogle-cloud-storage

GCP authorized view on BQ external table still requires bucket access


I have data in a GCS bucket and an external BQ table created in dataset A to query this data.

I would like to provide access to a user, Alice, just to a small part of the data, not the whole. I want to use Authorized view for that.

I created a view with limiting conditions in a new dataset B, and authorized this view for dataset A. I verified that I can see in the Console the created view is authorized for dataset A. Then, I provided read access to dataset B for Alice.

When I asked Alice to query the view, she got a permission error:

Access Denied: BigQuery: Permission denied while globbing file pattern. Alice does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). Please make sure gs://bucket-path/*.parquet.gz is accessible via appropriate IAM roles, e.g., Storage Object Viewer or Storage Object Creator.

Are my expectations wrong?

Why does Alice need access to the whole underlying bucket when the whole point of authorized views is to be able to provide just limited access to the data?


Solution

  • I checked with Google Support and as of now (2023-10), authorized views do not work with BigQuery external tables on GCS buckets.

    The recommended approach would be to use Biglake external tables, which should work with authorized views.