This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Create a remote connection with a custom service account

Posted on 07-29-2024 10:50 AM
joelvilca
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,
I'm trying to create a remote connection for my external function in bigquery.

Following the documentation I see this step to create the remote connection:

 

bq mk --connection --location=REGION --project_id=PROJECT_ID \
    --connection_type=CLOUD_RESOURCE CONNECTION_ID

 

By default Bigquery creates a service account for me, is it possible to edit it?

0 3 469
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

When setting up a remote connection in BigQuery, the system automatically creates a default service account. However, it is possible to modify this service account's permissions to suit your needs.

To locate the service account, navigate to the IAM & Admin section in the Google Cloud Console after creating the remote connection. The service account associated with your remote connection typically follows a naming convention like bq-[PROJECT_NUMBER]@bigquery-encryption.iam.gserviceaccount.com. Once found, you can adjust its permissions by clicking on the service account name to view its details and then accessing the "Permissions" tab. Here, you can add or remove roles as necessary to ensure the service account has the precise level of access required for your external function. It is important to be cautious during this process to avoid inadvertently revoking permissions critical for the connection's operation.

In some cases, your external function might require authentication with a remote service. If so, you may need to manage keys for this service account, which can be done in the "Keys" tab of the service account details.

A key consideration when managing service account permissions is to follow the principle of least privilege. This principle involves granting the service account only the minimum permissions necessary, thereby enhancing security by protecting your data and resources. If you have specific security requirements or prefer more granular control, you can create a custom service account in IAM & Admin. This custom account can be associated with your remote connection during the initial setup by using the --service_account_email flag.

For detailed instructions and best practices, refer to the official BigQuery documentation on Creating and Managing Service Accounts and Remote Functions in BigQuery.

If you wish to use a custom service account during the creation of the remote connection, you can do so by specifying the service account email in the bq mk command. For instance:

bq mk --connection --location=REGION --project_id=PROJECT_ID \
    --connection_type=CLOUD_RESOURCE CONNECTION_ID \
    --service_account_email=YOUR_CUSTOM_SERVICE_ACCOUNT_EMAIL

 

0 Likes

Posted on --/--/---- --:-- AM
joelvilca
Bronze 2
Bronze 2
In response to ms4446
Reply posted on --/--/---- --:-- AM

Hi @ms4446 ,

It seems that there is no --service_account_email in the mk command, checking the documentation

bk help mk


I don't see any command that can help me.

 

0 Likes

Posted on --/--/---- --:-- AM
abmck
Bronze 1
Bronze 1
In response to ms4446
Reply posted on --/--/---- --:-- AM

Hi @ms4446 ,

Can you help with this? I am restricted to only using a single service account for a POC, and this is blocking my work. Docs also don't seem to have a solution to this

0 Likes