Google cloud platform 通过terraform授予对特定BQ表的访问权限
我想授予Google cloud platform 通过terraform授予对特定BQ表的访问权限,google-cloud-platform,terraform,terraform-provider-gcp,Google Cloud Platform,Terraform,Terraform Provider Gcp,我想授予READER访问3封群邮件的权限 variable my_external_users { type = map(any) default = { group_1 = { group_by_email = "email_1@group.com" role = "READER" } group_2 = { group_by_email = "email_
READER
访问3封群邮件的权限
variable my_external_users {
type = map(any)
default = {
group_1 = {
group_by_email = "email_1@group.com"
role = "READER"
}
group_2 = {
group_by_email = "email_2@group.com"
role = "READER"
}
group_3 = {
group_by_email = "email_3@group.com"
role = "READER"
}
}
}
resource "google_bigquery_dataset" "my_dataset" {
dataset_id = "MY_DATASET"
location = var.region
project = var.project
dynamic access {
for_each = var.my_external_users
content {
role = access.value.role
group_by_email = access.value.group_by_email
}
}
}
我相信这样做会将整个数据集授予用户。我只想授予对名为my_table
的特定表的访问权限。然而,我无法实现它。我不确定在哪里指定表id。有3个允许您在表级别控制IAM:
google\u bigquery\u table\u iam\u策略
google\u bigquery\u table\u iam\u binding
google\u bigquery\u table\u iam\u成员
阅读器
角色(google\u bigquery\u table\u iam\u binding
)上选择权威的:
嗨,我想这就是我想要的答案。你能详细说明它是什么意思吗?我在
绑定
或成员
之间左右为难,需要使用授权替换所有IAM,而非授权允许拥有其他IAM权限,例如通过控制台设置。您可以查看此问题以了解更多信息:。如果您确定只有您的3个组将成为表上的data viewer,那么您可以进行绑定
。否则,如果您有其他属于data viewer但未使用Terraform设置的组、用户或服务帐户,请选择member
。
resource "google_bigquery_table_iam_binding" "binding" {
project = "my-project"
dataset_id = "MY_DATASET"
table_id = "my_table"
role = "roles/bigquery.dataViewer" # maps to READER role
members = [
"group:email_1@group.com",
"group:email_2@group.com",
"group:email_3@group.com",
]
}