BigqueryTableIamMember doesn't support IAM conditions

[kvudata]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.6.3 on linux_amd64

• provider registry.terraform.io/hashicorp/google v13.14.0
• provider registry.terraform.io/hashicorp/google-beta v13.14.0

Affected Resource(s)

google_bigquery_table_iam_member

Terraform Configuration

(slightly modified)

resource "google_bigquery_table_iam_member" "member" {
  project = google_bigquery_table.test.project
  dataset_id = google_bigquery_table.test.dataset_id
  table_id = google_bigquery_table.test.table_id
  role = "roles/bigquery.dataEditor"
  member = "user:jane@example.com"

  condition {
    title       = "expires_on_7_15"
    description = "Limit to business hours and expire on 7-15"
    expression  = "request.time < timestamp(\"2024-07-15T00:00:00-05:00\") && request.time.getHours('-05:00') >= 8 && request.time.getHours('-05:00') < 20 && request.time.getDayOfWeek('-05:00') >= 1 && request.time.getDayOfWeek('-05:00') <= 5"
  }
}

Debug Output

No response

Expected Behavior

The resource should've been created successfully

Actual Behavior

Fails with an error

Error: Error applying IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": Error setting IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": googleapi: Error 400: IAM setPolicy failed for Table redacted:test.test: Can't set conditional policy on this resource

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

Per https://cloud.google.com/iam/docs/resource-types-with-conditional-roles, it looks like BigQuery tables do not support conditions so it seems like a bug for the provider to provide that in the API.

b/351528828

[ggtisc]

Confirmed issue!

When trying to create the resource google_bigquery_table_iam_member with the shared code or even with the terraform registry example it returns the following message:

Error: Error applying IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": Error setting IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": googleapi: Error 400: IAM setPolicy failed for Table redacted:test.test: Can't set conditional policy on this resource

[wj-chen]

Confirmed as well. Thanks for reporting the issue, I will forward the internal version of this issue to the Table/IAM API team.

[wj-chen]

@kvudata and others impacted - I received the following guidance from the BigQuery Security and Governance team:

IAM Conditions are only supported at the project, folder, and organization level.

Please see https://cloud.google.com/bigquery/docs/conditions.

Could you try setting the condition on e.g. google_project_iam_member and setting resource.name and resource.type in expression (see examples) to scope the grant to a specific Table?

In terms of documentations, I double checked that https://cloud.google.com/iam/docs/resource-types-with-conditional-roles doesn't mention BigQuery, but we'll update https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam#google_bigquery_table_iam_member to remove the example config since it's invalid.

[kvudata]

Yes, I've managed to workaround this by using google_project_iam_member.

[wj-chen]

Thank you for confirming. We'll be removing the misleading example on the Terraform resource documentations about setting IAM conditions on Table and others.