1

I have a BigQuery User Defined Function (UDF) in which the definition contains a secret:

CREATE FUNCTION mydataset.HashWithPepper(input STRING, y INT64)
  RETURNS STRING
  AS SHA256(input + "secret_value_acting_as_a_pepper");

secret_value_acting_as_a_pepper is being used to pepper the inputted value. That value is a secret and cannot be known by people using the function.

Is it possible to grant someone permission to call a UDF but not see the definition of it? I've looked at https://cloud.google.com/bigquery/docs/access-control#bq-permissions and noted the following:

Permission Description
bigquery.routines.get Get routine definitions and metadata.

So clearly I do not want to grant bigquery.routines.get to my end-users, but how do I grant permission to call the UDF? I don't see a permission in bigquery.routines.* that pertains to calling a UDF.

jamiet
  • 10,501
  • 14
  • 80
  • 159

1 Answers1

1

I do not believer there is a way to hide the UDF definition from anyone allowed to call the routine.

BigQuery does support authorized UDFs which work much like authorized views. An authorized UDF can read data from BigQuery tables without needed to grant callers access to the tables directly.

One possible solution leveraging an authorized UDF would be:

  1. Create a PEPPER table to hold your pepper value in dataset A.
  2. Create the UDF that selects the pepper value from the PEPPER table and uses it with the hash function. Create the UDF in database B.
  3. Declare the UDF an authorized UDF of dataset A.
  4. Grant users BigQuery Data Viewer privileges to dataset B. Do not grant users any access to dataset A.
Brent Worden
  • 10,624
  • 7
  • 52
  • 57
  • Thanks. Authorised UDFs aren’t ideal for us because we use terraform to deploy everything and terraform doesn’t have support for authorised UDFs unfortunately. This isn’t an insurmountable problem however. – jamiet Jun 09 '21 at 07:27