docs: Document minimum IAM requirement (#416)

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly: - [ ] Make sure to open an issue as a [bug/issue](https://togithub.com/googleapis/python-bigquery-dataframes/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - https://screenshot.googleplex.com/BPPQ6YVWYykCSus - https://screenshot.googleplex.com/8v3JYwcJJemSKRd Fixes internal issue #328086566 🦕
googleapis · Mar 7, 2024 · 36173b0 · 36173b0
1 parent 38bd2ba
commit 36173b0
Showing 1 changed file with 31 additions and 18 deletions.
diff --git a/README.rst b/README.rst
@@ -34,6 +34,11 @@ Prerequisites
   `install and initialize the gcloud CLI <https://cloud.google.com/sdk/docs/install>`_,
   and then generate the application default credentials by doing
   `gcloud auth application-default login <https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login>`_.
+* The user must have
+  `BigQuery Job User <https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser>`_ and
+  `BigQuery Read Session User <https://cloud.google.com/bigquery/docs/access-control#bigquery.readSessionUser>`_
+  roles for the minimum usage. Additional IAM requirements apply for using remote
+  functions and ML.
 
 Code sample
 ^^^^^^^^^^^
@@ -215,6 +220,30 @@ steps and an estimator together.
   to create a pipeline of transforms with a final estimator.
 
 
+ML remote models
+----------------
+
+**Requirements**
+
+To use BigQuery DataFrames ML remote models (`bigframes.ml.remote` or `bigframes.ml.llm`),
+you must enable the following APIs:
+
+* The BigQuery API (bigquery.googleapis.com)
+* The BigQuery Connection API (bigqueryconnection.googleapis.com)
+* The Vertex AI API (aiplatform.googleapis.com)
+
+and you must be granted the following IAM roles:
+
+* BigQuery Data Editor (roles/bigquery.dataEditor)
+* BigQuery Connection Admin (roles/bigquery.connectionAdmin)
+* Service Account User (roles/iam.serviceAccountUser) on the
+  `service account <https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration>`__
+  ``[email protected]``
+* Vertex AI User (roles/aiplatform.user)
+* Project IAM Admin (roles/resourcemanager.projectIamAdmin) if using default
+  BigQuery connection, or Browser (roles/browser) if using a pre-created connection
+
+
 ML locations
 ------------
 
@@ -311,24 +340,8 @@ following IAM roles:
   `service account <https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration>`__
   ``[email protected]``
 * Storage Object Viewer (roles/storage.objectViewer)
-* Project IAM Admin (roles/resourcemanager.projectIamAdmin)
-
-To use BigQuery DataFrames ML remote models(bigframes.ml.remote or bigframes.ml.llm), you must enable the following APIs:
-
-* The BigQuery API (bigquery.googleapis.com)
-* The BigQuery Connection API (bigqueryconnection.googleapis.com)
-* The Vertex AI API (aiplatform.googleapis.com)
-
-To use BigQuery DataFrames ML remote models(bigframes.ml.remote or bigframes.ml.llm), you must be granted the
-following IAM roles:
-
-* BigQuery Data Editor (roles/bigquery.dataEditor)
-* BigQuery Connection Admin (roles/bigquery.connectionAdmin)
-* Service Account User (roles/iam.serviceAccountUser) on the
-  `service account <https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration>`__
-  ``[email protected]``
-* Vertex AI User (roles/aiplatform.user)
-* Project IAM Admin (roles/resourcemanager.projectIamAdmin)
+* Project IAM Admin (roles/resourcemanager.projectIamAdmin) if using default
+  BigQuery connection, or Browser (roles/browser) if using a pre-created connection
 
 **Limitations**