1

Summary

Support BigQuery per user authentication rather than using the same saved service account. It enables per user data access logging and row level access control on the BigQuery .

Description

Using the same saved service account to access BigQuery does not work in many organisations. Usually each employee function have access to different set of tables and records within BigQuery.

Having only one account (service account) to access BigQuery does not help with the accountability of the data access and is the main blocker for deploying Redash. All users within Redash would have the same access permissions for BigQuery, and the data access log shows the same user.

Many BigQuery security features (PII protection, authorised views, row-level access control) rely on having the right user account passed to BigQuery API. And it would be awesome if Redash has this feature.

Redash has already supported IAM for Redshift

Related Links

2

I don’t mind putting in some work for this feature, could you suggest some ideas on this?

3

Does Redshift actually support credential pass through per user? I think the link you shared is merely a data source that authenticates to a specific IAM user or role, but this is still shared across all queries against that data source.

Would be interested to see a sketch of how you’d implement per-user credential pass through as Redash really isn’t geared for that. Perhaps we can add some generic abstractions to make this more feasible.