Open moseleyi opened 3 weeks ago
Hello @moseleyi, thank you for opening up this issue! I'm curious to ask you why you would want to use only one service account to auth into BQ? This does not align with our best practices especially for security.
Authentication would still be using ADC but the permissions are doe via Service Account. This is because GCP allows to use user accounts for authentication and service accounts for permission - it's called service account impersonation. It's a bridge between having multiple user accounts or one service account. The first one can become clunky if you have to set permissions for each user, the second, meaning one service account, is not compliant with financial regulators.
I want to add labels that would show up in GCP logs what is the user name running the queries. Unfortunately with ADC + Impersonation, it's the service account email that shows up in logs .
https://cloud.google.com/docs/authentication/use-service-account-impersonation
Thank you for that explanation! That was very helpful. I will put this into consideration but will not be able to prioritize this for now
Is this your first time submitting a feature request?
Describe the feature
I would like to use one Service Account connection to BigQuery. The problem with this however is that the logs would not show which person actually runs dbt. dbt already adds
dbt_invocation_id
to all queries as labels and I would like to be able to configure a label inprofiles.yml
, that is also added to all queries.I found this code when labels are added. Imaging we add
labels
property in profiles:Then in Log Explorer in GCP I can differentiate between people if this were added to the labels. I wouldn't have to use ADC or other short-lived credentials, or create separate service account for each user.
Describe alternatives you've considered
Creating a fork of the bigquery connector and adding it by myself.
Who will this benefit?
Anybody using bigquery with service account connection that would like to still have user-level details in the logs or add any other labels to all queries
Are you interested in contributing this feature?
Yes
Anything else?
No response