google-cloud-platformgoogle-bigquerygoogle-iam

I don't want to generation service accounts for external users I want to share bigquery datasets with- what are the repercussions of this?

I gave a user's Google account access to one of my datasets. They are using this Python script:

def query_stackoverflow():
    client = bigquery.Client()
    query_job = client.query(
        """
        SELECT *
        FROM `myproject.mydata.mytable`
        ORDER BY someColumn DESC
        LIMIT 10"""
    )

    results = query_job.result()

It works but they are seeing this warning:

UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK without a quota project. You might receive a "quota exceeded" or "API not enabled" error. We recommend you rerun gcloud auth application-default login and make sure a quota project is added. Or you can use service accounts instead. For more information about service accounts, see https://cloud.google.com/docs/authentication/
warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)

I read through some docs but I don't understand what this means. Does this mean I should put a quota on my project? I know this person and trust them, but does this mean they could use up all of my bq quota with their queries? It also seems like this could be "solved" by using a service account so is this quota a hard limit on non-service account access I can't change?

Giving the user's Google account access is more convenient and secure then creating a service account and generating keys for them.

Solution

  • A quota project is used by client libraries, etc. for billing purposes. You can set the quota project using the CLI:

    Example command:

    gcloud auth application-default set-quota-project my-quota-project

    gcloud auth application-default set-quota-project

    Review BigQuery quotas and limits and implement them. This will improve security and minimize financial risks.

    BigQuery Quotas and Limits

    There are three primary methods of authorization in Google Cloud. User Credentials created by Google Accounts (Gmail, G Suite, etc.), Service Accounts, and API Keys.

    The warning you are receiving is due to Google preferring that applications use Service Accounts for authorization instead of User Credentials. You can disable this warning in your code but I do not recommend that. Instead, create a quota project, create a service account, and lock down the service account to only provide the roles the user requires.

    In your question you do not describe how you are using User Credentials to obtain the OAuth Access Token requires to grant API access. If you are passing around tokens, that is not very secure. Service Accounts can be deleted, Service Account Keys can be rotated, etc. providing a better level of security. If you understand Google Cloud, I wrote an article on how to use impersonation. You could use this method to continue using User Credentials to impersonate a Service Account without handing out keys.

    Google Cloud – Improving Security with Impersonation

    PowerShell – Impersonate Google Service Account

    User Account credentials have much lower API calling quotas then Service Accounts. This can cause software to fail that use User Account generated Access Tokens.