» google_bigquery_dataset_access

Gives dataset access for a single entity. This resource is intended to be used in cases where it is not possible to compile a full list of access blocks to include in a google_bigquery_dataset resource, to enable them to be added separately.

To get more information about DatasetAccess, see:

» Example Usage - Bigquery Dataset Access Basic User

resource "google_bigquery_dataset_access" "access" {
  dataset_id    = google_bigquery_dataset.dataset.dataset_id
  role          = "OWNER"
  user_by_email = google_service_account.bqowner.email

resource "google_bigquery_dataset" "dataset" {
  dataset_id = "example_dataset"

resource "google_service_account" "bqowner" {
  account_id = "bqowner"

» Example Usage - Bigquery Dataset Access View

resource "google_bigquery_dataset_access" "access" {
  dataset_id    = google_bigquery_dataset.private.dataset_id
  view {
    project_id = google_bigquery_table.public.project
    dataset_id = google_bigquery_dataset.public.dataset_id
    table_id   = google_bigquery_table.public.table_id

resource "google_bigquery_dataset" "private" {
  dataset_id = "example_dataset"

resource "google_bigquery_dataset" "public" {
  dataset_id = "example_dataset2"

resource "google_bigquery_table" "public" {
  dataset_id = google_bigquery_dataset.public.dataset_id
  table_id   = "example_table"

  view {
    query          = "SELECT state FROM [lookerdata:cdc.project_tycho_reports]"
    use_legacy_sql = false

» Argument Reference

The following arguments are supported:

  • dataset_id - (Required) A unique ID for this dataset, without the project name. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.

  • role - (Optional) Describes the rights granted to the user specified by the other member of the access object. Primitive, Predefined and custom roles are supported. Predefined roles that have equivalent primitive roles are swapped by the API to their Primitive counterparts, and will show a diff post-create. See official docs.

  • user_by_email - (Optional) An email address of a user to grant access to. For example: fred@example.com

  • group_by_email - (Optional) An email address of a Google Group to grant access to.

  • domain - (Optional) A domain to grant access to. Any users signed in with the domain specified will be granted the specified access

  • special_group - (Optional) A special group to grant access to. Possible values include:

  • iam_member - (Optional) Some other type of member that appears in the IAM Policy but isn't a user, group, domain, or special group. For example: allUsers

  • view - (Optional) A view from a different dataset to grant access to. Queries executed against that view will have read access to tables in this dataset. The role field is not required when this field is set. If that view is updated by any user, access to the view needs to be granted again via an update operation. Structure is documented below.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The view block supports:

  • dataset_id - (Required) The ID of the dataset containing this table.

  • project_id - (Required) The ID of the project containing this table.

  • table_id - (Required) The ID of the table. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/datasets/{{dataset_id}}

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • delete - Default is 4 minutes.

» User Project Overrides

This resource supports User Project Overrides.