Can I check something with you on this? I have been using a separate `quota_project`. from the `execution_project` during testing it has been found that the `QueryUsagePerDay` is against the `execution_project` rather than the `quota_project` that has been set. Having spoken to a few others I think this is actually expected behaviour.

My question becomes, are there docs for which quota values can be overridden with the `quota_project` and which will always default to the `execution_project`? I can't seem to find anything on the GCP docs site.

Thanks,

Jack

In BigQuery, the distinction between API request quotas and resource usage quotas is essential for understanding how quotas are applied and billed. The behavior you're experiencing, where the QueryUsagePerDay quota is counted against the execution project instead of the specified quota project, is expected and stems from BigQuery's architecture.

A quota project allows you to attribute API requests and billing to a specific project, separate from the project where resources (such as data and queries) are executed. When you set a quotaProjectId in your BigQuery client, API request quotas are counted against that quota project, separating management of API limits and costs from the execution project.

• API Request Quotas: These quotas, such as the number of API calls, can be redirected to the quota project, allowing you to manage and bill for these separately.

• Resource Usage Quotas: These quotas, including data processing volumes, query job limits, and storage, are always attributed to the execution project because they pertain to the resources owned and operated by that project.

Resource usage quotas are tied to the execution project to ensure that the project consuming the resources is responsible for monitoring and managing its usage. Even if a quota project is specified, BigQuery applies resource usage quotas to the execution project, maintaining governance and accountability over the resources.

• Attributed to Quota Project: API request quotas and associated billing costs for API usage.

• Attributed to Execution Project: Resource usage quotas (e.g., data processing, query jobs) and related costs.

For jobs run with both an execution project and a quota project, only API request quotas are directed to the quota project, while resource usage quotas remain tied to the execution project. To avoid quota limits, it’s important to monitor your execution project’s usage and request quota increases if necessary.

The distinction between API and resource usage quotas is crucial for managing quotas and billing in BigQuery. While the quota project allows for managing API-related costs, resource usage quotas are enforced on the execution project, ensuring proper management of resource consumption.

Thanks you @ms4446 for your reply. Apologies for not getting back to you sooner I was on holiday last week.

Thank you for the overview, this all makes sense to me. Just one other question, is there any documentation online that shows which quotas are which type? This BQ quota page doesn't seem to differentiate unless I am misunderstanding something https://cloud.google.com/bigquery/quotas

The behavior you've observed in your testing, where query jobs do not fail even when a non-existing quotaProjectId is used or when the service account lacks the necessary permissions on the quotaProjectId, is consistent with Google Cloud's design to ensure that operations do not fail due to billing or quota project misconfigurations. Here's a detailed look at the scenarios you mentioned:

1. Dummy Non-Existing quotaProjectId is Used

When you specify a non-existing quotaProjectId, Google Cloud services, including BigQuery, do not validate the existence of the quota project at the time of client creation or even at the time of query execution. The primary goal is to execute the requested operation (e.g., a BigQuery job) without interruption. This design choice helps in avoiding operational failures due to misconfigurations in billing or quota settings.

2. Service Account Lacks Necessary Permissions on the quotaProjectId

Similarly, if the service account used to create the client does not have the "Service Usage Consumer" role (or any permissions) on the quotaProjectId, the operation will still proceed. Google Cloud prioritizes the continuity of service operations, and as such, it does not block or fail BigQuery jobs due to these specific permission issues related to the quota project.

Fallback Behavior and Verification

In both scenarios, Google Cloud does not explicitly "fallback" to using the projectId for quota and billing purposes in a manner that is visible or verifiable through an API or client library response. Instead, it appears to proceed with the operation, potentially resulting in unexpected billing behavior or quota limit issues later on. In certain situations, the resource project might end up being billed if the quota project configuration isn't fully effective.

Verification and Best Practices

Since the operations do not fail and there is no direct error message or fallback mechanism, verifying whether the quotaProjectId is correctly used becomes challenging. Here are a few indirect methods for verification:

• Billing Reports: Monitoring the billing reports for both the resource project and the supposed quota project can give you insights. If the quota project is not being billed as expected (and you've confirmed that operations that should incur costs have been performed), it's likely that the quota project configuration is not being applied as intended.

• Project Quotas: Similarly, checking the quota usage in both projects can offer clues. However, this method is less direct and might not be conclusive, especially for services with high quota limits or low usage.

The lack of direct feedback or error messages in these scenarios is by design, to ensure operational continuity. However, this design choice emphasizes the importance of correctly configuring the quota project, ensuring that all necessary permissions are in place, and regularly monitoring your usage and billing. Misconfigurations, while not immediately disruptive, can lead to unexpected costs or issues when quota limits are reached.

When you set a quota project in Google Cloud services like BigQuery, it's primarily for billing and quota purposes. This means that while the quota and potentially the billing for the operations you perform with BigQuery will be attributed to the quota project, the operations themselves (like running queries, creating tables, etc.) are still executed in the context of the resource project. This is why you're seeing audit logs in the resource project and not the quota project.

• Audit Logs: Audit logs are generated for operations performed within a project. This includes API calls and service usage that occur within the context of that project. Since your BigQuery datasets, tables, and jobs are located within your resource project, the audit logs for these operations will appear in the resource project.

• Quota Project: Setting a quota project affects where the quota usage is accounted for and where the associated costs are billed. It does not change the context in which the operations are performed. Therefore, it doesn't affect where the audit logs are generated.

Given your current setup, where you've assigned the Service Usage Consumer role to the service account on the quota project, you've done the correct configuration for quota and billing purposes. There's no additional configuration needed specifically for the quota project to affect where audit logs are generated.

If your goal is to have logs or some form of tracking within the quota project for operations performed in BigQuery, consider these approaches:

• Custom Logging: Implement custom logging within your application to capture significant events or operations. These custom logs can then be sent to Cloud Logging under the quota project. This approach requires manual implementation and management.

• Export Audit Logs: You can set up a Sink in Cloud Logging to export audit logs from the resource project to a desired destination, such as a bucket, pub/sub, or another log in the quota project. This allows you to aggregate logs from multiple projects in a single place for analysis or record-keeping.

The behavior you're observing is expected due to the nature of how quota projects are used in Google Cloud. Audit logs reflect operations in their respective projects, while the quota project setting redirects billing and quota consumption. For centralized logging or analysis purposes, consider using Cloud Logging's export features or implementing custom logging solutions.