This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Use Dataplex to scan BigQuery asset in different org

Posted on 06-21-2024 08:15 AM
matt_trojan
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Can Dataplex read/scan assets in a different GCP Org?  Specifically BQ datasets in Org B if I've configured my lake from Org A?  I would reason that I could, afterall, I can create an asset to an AWS S3 source.  But when I try to (interactively) create such an Asset I receive 'The project of the referenced resource 'xyz' is not in the same organization as the asset.'

Solved Solved
3 4 506
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

In Dataplex, you cannot directly scan or manage BigQuery assets located in a different GCP organization. Dataplex enforces organizational boundaries for security and isolation, which means it does not support direct access to BigQuery datasets across different organizations. This is why you encountered the error stating that the referenced resource is not in the same organization as the asset.

Google Cloud enforces strict boundaries between organizations to maintain security and isolation of resources. This restricts Dataplex from directly accessing BigQuery datasets in another organization. Dataplex relies on IAM for access control. Permissions granted to Dataplex service accounts are scoped within the organization where the account was created. Dataplex cannot authenticate or authorize access to BigQuery datasets in another organization using its service account.

Alternative Solutions

1. Use BigQuery Views:

  • Create a View in Org A: You can create a BigQuery view in Org A that references the dataset in Org B. This view acts as a proxy to the dataset in Org B.
  • Grant Permissions: Ensure that the Dataplex service account in Org A has the necessary permissions (BigQuery Data Viewer) on the dataset in Org B to access the view.
  • Add the View to Dataplex: Add this view as an asset in Dataplex in Org A, allowing Dataplex to scan and manage it.

2. Use BigQuery Data Transfer Service:

  • Set Up Data Transfer: Use the BigQuery Data Transfer Service to regularly copy data from Org B’s dataset to a dataset in Org A.
  • Add the Transferred Dataset to Dataplex: Manage this dataset in Dataplex as a local asset within Org A.

3. Data Replication via ETL Tools:

  • Replicate Data: Use ETL tools like Dataflow to replicate data from BigQuery in Org B to BigQuery in Org A.
  • Manage in Org A: Once replicated, add the dataset to Dataplex in Org A.

 

  • Views in Org A act as a representation of data from Org B, allowing Dataplex to interact with the view without direct access to Org B’s dataset.
  • These methods bring the data into Org A, eliminating cross-organization access restrictions.

If you need to scan a dataset orgb_project.sales_data in Org B using Dataplex in Org A:

  1. Create a View in Org A:
     
    CREATE OR REPLACE VIEW `orga_project.sales_view.sales_data` AS
SELECT * FROM `orgb_project.sales_data.table_name`; ​
  2. Grant Permissions in Org B: Grant BigQuery Data Viewer to the Dataplex service account from Org A on the dataset in Org B.
  3. Add the View in Dataplex: Add orga_project.sales_view.sales_data as an asset in Dataplex in Org A.

while Dataplex cannot directly access BigQuery assets in a different organization, you can use views or data transfer methods to work around this limitation by effectively bringing the data into the same organization as your Dataplex setup.

View solution in original post

Jump to Solution
4 REPLIES 4