This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

What is the required permissions/role to see bytes billed on row level security tables?

Posted on 11-19-2023 03:17 PM
adampublift
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Title.

Having trouble finding what will give me access to see the bytes billed on row level security tables that isn't just straight granting me owner and editor. I was given both Bigquery Admin and Logging Admin which also still did not show me the required number.

 
 
1 8 2,336
Topic Labels
8 REPLIES 8

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

To view the bytes billed for queries against tables with row-level security in Google Cloud BigQuery, you need specific permissions that allow access to both the data in the tables and the metadata of the queries, including bytes billed. Here's a breakdown of the required permissions and roles:

  1. BigQuery Data Viewer Role: This role allows users to view data in BigQuery tables. However, it does not include permissions to view job details such as bytes billed for queries.

  2. Custom Role with Specific Permissions:

    • You should create a custom role that includes the bigquery.jobs.get permission, which allows users to view their own job's metadata, including bytes billed.
    • Additionally, include the bigquery.resourceUsage.read permission in the custom role. This permission is essential for accessing job metadata.

  3. Billing Viewer Role: To view the billing data for the project in which the BigQuery tables reside, users need the billing.viewer role. This role grants access to the project's billing information, which is crucial for understanding the overall cost implications of the queries.

Here's a summary table of the required permissions and roles:

Role/Permission Description
BigQuery Data Viewer Role Allows users to view data in BigQuery tables, but not bytes billed for queries.
Custom Role (with bigquery.jobs.get and bigquery.resourceUsage.read) Enables users to view job details, including bytes billed for queries.
Billing Viewer Role Grants access to view billing data for the project.

Note on Admin Roles: If you have been assigned both the BigQuery Admin and Logging Admin roles but are still unable to see the bytes billed for queries, it's possible that your access is being restricted by another IAM policy. In this case, using the IAM Policy Troubleshooter tool can help identify any conflicting policies or additional permissions that may be required.

Posted on --/--/---- --:-- AM
adampublift
Bronze 3
Bronze 3
In response to ms4446
Reply posted on --/--/---- --:-- AM

Heya, thanks for this answer! Gonna give it a shot and will get back to you.

 
0 Likes

Posted on --/--/---- --:-- AM
adampublift
Bronze 3
Bronze 3
In response to ms4446
Reply posted on --/--/---- --:-- AM

Another question, I don't see the bigquery.resourceUsage.read permission on the documentation listed here https://cloud.google.com/bigquery/docs/access-control nor do I see it under the Admin role in the Roles page on GCP. Is this just something thats hidden or?

 
0 Likes

Posted on --/--/---- --:-- AM
ms4446
Staff
In response to adampublift
Reply posted on --/--/---- --:-- AM

Sorry let me clarify.  The bigquery.resourceUsage.read permission is a custom IAM permission, which means that it is not defined by Google Cloud and must be created explicitly. To create a custom IAM permission, you can use the IAM Console or the iam.permissions.create method in the Cloud IAM API.

To create the bigquery.resourceUsage.read permission using the IAM Console, follow these steps:

  1. Navigate to the IAM Console in the Google Cloud Platform Console.

  2. Select the project for which you want to create the custom permission.

  3. In the left-hand menu, expand the IAM section and select Permissions.

  4. Click the Create Permission button.

  5. In the Permission Title field, enter bigquery.resourceUsage.read.

  6. In the Description field, enter a description for the permission, such as "Allows viewing BigQuery resource usage data".

  7. In the API Calls section, click the Add API Call button.

  8. In the Service field, select bigquery.googleapis.com.

  9. In the Method field, select resourceUsage.read.

  10. Click Save.

Once you have created the custom permission, you can grant it to a user or group of users. To grant the permission using the IAM Console, follow these steps:

  1. In the IAM Console, select the user or group to which you want to grant the permission.

  2. Click the Add a role button.

  3. In the Role field, select BigQuery User.

  4. In the Permissions field, select bigquery.resourceUsage.read.

  5. Click Save.

Once the permission has been granted, the user or group will be able to view usage data for the project, including the bytes billed for queries against tables with row-level security.

Posted on --/--/---- --:-- AM
adampublift
Bronze 3
Bronze 3
In response to ms4446
Reply posted on --/--/---- --:-- AM

Hello again!

Seems that we don't even see this "Create Permission" button, can you provide a screenshot of what it actually looks like?

 

Posted on --/--/---- --:-- AM
ms4446
Staff
In response to adampublift
Reply posted on --/--/---- --:-- AM

  1. Open the Google Cloud Console: Log in to your Google Cloud account and go to the Google Cloud Console.

  2. Navigate to IAM & Admin: On the main dashboard, look for the "IAM & Admin" section. This is usually accessible from the navigation menu on the top left side of the console.

  3. Go to Roles: Inside the IAM & Admin section, find and click on "Roles". This page lists all the predefined and custom roles in your project.

  4. Create Role: Instead of creating a permission directly, in Google Cloud, you typically create a custom role. On the Roles page, there should be a "Create Role" button. Click this to start the process of creating a new role.

  5. Define Permissions for the Role: In the role creation process, you can specify the permissions that the role should have. This is where you define what the role can and cannot do.

  6. Save and Assign the Role: Once you have defined the permissions, give the role a name and description, then save it. After the role is created, you can assign it to users, groups, or service accounts as needed.

Posted on --/--/---- --:-- AM
svdimchenko
Bronze 2
Bronze 2
In response to ms4446
Reply posted on --/--/---- --:-- AM

Hi there! I also can not add this permission bigquery.resourceUsage.read to custom role. Could you advice how it can be created via gcloud / api call / any alternative way ?

Posted on --/--/---- --:-- AM
shubham21feb
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @ms4446 , Thanks for all the above answers. 

Is it possible if i can calculate the BQ execution cost with the help of totalslotsms where we dont get the TotalBytesProccessed (RLS enabled). Can you please help us in understanding how can we calculate the cost?

0 Likes
Top Solution Authors
View all