feat: support BigQuery dataset ACLs in absence of IAM endpoints

hashicorp · Mar 25, 2020 · c57b163 · c57b163
1 parent 5435aa2
commit c57b163
Show file tree

Hide file tree

Showing 9 changed files with 888 additions and 310 deletions.
diff --git a/go.mod b/go.mod
@@ -3,16 +3,24 @@ module github.com/hashicorp/vault-plugin-secrets-gcp
 go 1.12
 
 require (
+	github.com/Bowery/prompt v0.0.0-20190916142128-fa8279994f75 // indirect
+	github.com/dchest/safefile v0.0.0-20151022103144-855e8d98f185 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-cleanhttp v0.5.1
 	github.com/hashicorp/go-gcp-common v0.5.0
 	github.com/hashicorp/go-hclog v0.12.0
 	github.com/hashicorp/go-multierror v1.0.0
+	github.com/hashicorp/go-version v1.2.0 // indirect
 	github.com/hashicorp/hcl v1.0.0
 	github.com/hashicorp/vault-plugin-auth-gcp v0.5.1
 	github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820
 	github.com/hashicorp/vault/sdk v0.1.14-0.20200215224050-f6547fa8e820
 	github.com/mitchellh/mapstructure v1.1.2
+	github.com/pkg/errors v0.9.1 // indirect
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 // indirect
+	golang.org/x/tools v0.0.0-20200204230316-67a4523381ef // indirect
 	google.golang.org/api v0.14.0
+	gopkg.in/yaml.v2 v2.2.8 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -4,6 +4,8 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
+github.com/Bowery/prompt v0.0.0-20190916142128-fa8279994f75 h1:xGHheKK44eC6K0u5X+DZW/fRaR1LnDdqPHMZMWx5fv8=
+github.com/Bowery/prompt v0.0.0-20190916142128-fa8279994f75/go.mod h1:4/6eNcqZ09BZ9wLK3tZOjBA1nDj+B0728nlX5YRlSmQ=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
@@ -25,6 +27,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dchest/safefile v0.0.0-20151022103144-855e8d98f185 h1:3T8ZyTDp5QxTx3NU48JVb2u+75xc040fofcBaN+6jPA=
+github.com/dchest/safefile v0.0.0-20151022103144-855e8d98f185/go.mod h1:cFRxtTwTOJkz2x3rQUNCYKWC93yP1VKjR8NUhqFxZNU=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
@@ -68,6 +72,8 @@ github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
@@ -115,6 +121,8 @@ github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2I
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.1.0 h1:bPIoEKD27tNdebFGGxxYwcL4nepeY4j1QP23PFRGzg0=
 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
+github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -139,6 +147,8 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kardianos/govendor v1.0.9 h1:WOH3FcVI9eOgnIZYg96iwUwrL4eOVx+aQ66oyX2R8Yc=
+github.com/kardianos/govendor v1.0.9/go.mod h1:yvmR6q9ZZ7nSF5Wvh40v0wfP+3TwwL8zYQp+itoZSVM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -160,6 +170,10 @@ github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.
 github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/gox v1.0.1 h1:x0jD3dcHk9a9xPSDN6YEL4xL6Qz0dvNYm8yZqui5chI=
+github.com/mitchellh/gox v1.0.1/go.mod h1:ED6BioOGXMswlXa2zxfh/xdd5QhwYliBFn9V18Ap4z4=
+github.com/mitchellh/iochan v1.0.0 h1:C+X3KsSTLFVBr/tK1eYN/vs4rJcvsiLU338UhYPJWeY=
+github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
@@ -175,7 +189,10 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T
 github.com/pierrec/lz4 v2.0.5+incompatible h1:2xWsjqPFWcplujydGg4WmhC/6fZqK42wMM8aXeqhl0I=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@@ -220,6 +237,7 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422 h1:QzoH/1pFpZguR8NrRHLcO6jKqfv2zpuSqZLgdm7ZmjI=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -260,6 +278,7 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be h1:QAcqgptGM8IQBC9K/RC4o+O9YmqEm0diQn9QmZw/0mU=
@@ -284,6 +303,11 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20200116225955-84cebe10344f h1:ILR8hSRYwfkRGnA5a6c/vTjIFGkLibNIFxGiosQo+LM=
+golang.org/x/tools v0.0.0-20200116225955-84cebe10344f/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204230316-67a4523381ef h1:mdhEDFpO1Tfj7PXIflIuP1tbXt4rJgHIvbzdh62SARw=
+golang.org/x/tools v0.0.0-20200204230316-67a4523381ef/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.0.0-20181220000619-583d854617af/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
 google.golang.org/api v0.2.0/go.mod h1:IfRCZScioGtypHNTlz3gFk67J8uePVW7uDTBzXuIkhU=
 google.golang.org/api v0.3.0/go.mod h1:IuvZyQh8jgscv8qWfQ4ABd8m7hEudgBFM/EdhA3BnXw=
@@ -326,7 +350,12 @@ gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
+gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20180920025451-e3ad64cb4ed3/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

diff --git a/plugin/iamutil/bigquery_access.go b/plugin/iamutil/bigquery_access.go
@@ -0,0 +1,71 @@
+package iamutil
+
+import (
+	"fmt"
+	"strings"
+)
+
+// NOTE: BigQuery does not conform to the typical REST for IAM policies
+// instead it has an access array with bindings on the dataset
+// object. https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets#Dataset
+type AccessBinding struct {
+	Role        string `json:"role,omitempty"`
+	UserByEmail string `json:"userByEmail,omitempty"`
+}
+
+type Dataset struct {
+	Access []*AccessBinding `json:"access,omitempty"`
+}
+
+func (p *Policy) AsDataset() Dataset {
+	dataset := Dataset{}
+	if p == nil {
+		return dataset
+	}
+	for _, binding := range p.Bindings {
+		for _, member := range binding.Members {
+			var email string
+			memberSplit := strings.Split(member, ":")
+			if len(memberSplit) == 2 {
+				email = memberSplit[1]
+			} else {
+				email = member
+			}
+
+			if email != "" {
+				dataset.Access = append(dataset.Access, &AccessBinding{
+					Role:        binding.Role,
+					UserByEmail: email,
+				})
+			}
+		}
+	}
+	return dataset
+}
+
+func (ds *Dataset) AsPolicy() Policy {
+	policy := Policy{}
+	if ds == nil {
+		return policy
+	}
+	bindingMap := make(map[string]*Binding)
+	for _, accessBinding := range ds.Access {
+		email := fmt.Sprintf("serviceAccount:%s", accessBinding.UserByEmail)
+		if binding, ok := bindingMap[accessBinding.Role]; ok {
+			binding.Members = append(binding.Members, email)
+		} else {
+			bindingMap[accessBinding.Role] = &Binding{
+				Role:    accessBinding.Role,
+				Members: []string{email},
+			}
+		}
+	}
+	for k := range bindingMap {
+		policy.Bindings = append(policy.Bindings, bindingMap[k])
+	}
+	return policy
+}
+
+func (r *parsedIamResource) IsBigqueryResource() bool {
+	return r.config.TypeKey == "projects/datasets" && r.config.Service == "bigquery"
+}
diff --git a/plugin/iamutil/bigquery_access_test.go b/plugin/iamutil/bigquery_access_test.go
@@ -0,0 +1,75 @@
+package iamutil
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestPolicyToDataset(t *testing.T) {
+	policy, expectedDataset := getTestFixtures()
+	expectedDatasetBytes, err := json.Marshal(expectedDataset)
+	if err != nil {
+		t.Fatal(err)
+	}
+	actualDataset := policy.AsDataset()
+	actualDatasetBytes, err := json.Marshal(actualDataset)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(actualDatasetBytes) != string(expectedDatasetBytes) {
+		t.Fatalf("%v should be equal to %v", string(actualDatasetBytes), string(expectedDatasetBytes))
+	}
+}
+
+func TestDatasetToPolicy(t *testing.T) {
+	expectedPolicy, dataset := getTestFixtures()
+	expectedPolicyBytes, err := json.Marshal(expectedPolicy)
+	if err != nil {
+		t.Fatal(err)
+	}
+	actualPolicy := dataset.AsPolicy()
+	actualPolicyBytes, err := json.Marshal(actualPolicy)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(actualPolicyBytes) != string(expectedPolicyBytes) {
+		t.Fatalf("%v should be equal to %v", string(actualPolicyBytes), string(expectedPolicyBytes))
+	}
+}
+
+func getTestFixtures() (*Policy, *Dataset) {
+	policy := &Policy{
+		Bindings: []*Binding{
+			&Binding{
+				Members: []string{
+					"serviceAccount:[email protected]",
+					"serviceAccount:[email protected]",
+				},
+				Role: "roles/bigquery.dataViewer",
+			},
+			&Binding{
+				Members: []string{
+					"serviceAccount:[email protected]",
+				},
+				Role: "roles/bigquery.dataOwner",
+			},
+		},
+	}
+	dataset := &Dataset{
+		Access: []*AccessBinding{
+			&AccessBinding{
+				Role:        "roles/bigquery.dataViewer",
+				UserByEmail: "[email protected]",
+			},
+			&AccessBinding{
+				Role:        "roles/bigquery.dataViewer",
+				UserByEmail: "[email protected]",
+			},
+			&AccessBinding{
+				Role:        "roles/bigquery.dataOwner",
+				UserByEmail: "[email protected]",
+			},
+		},
+	}
+	return policy, dataset
+}
diff --git a/plugin/iamutil/iam_handle.go b/plugin/iamutil/iam_handle.go
@@ -27,8 +27,16 @@ func (h *IamHandle) GetIamPolicy(ctx context.Context, r IamResource) (*Policy, e
 		return nil, errwrap.Wrapf("unable to construct GetIamPolicy request: {{err}}", err)
 	}
 	var p Policy
-	if err := h.doRequest(ctx, req, &p); err != nil {
-		return nil, errwrap.Wrapf("unable to get policy: {{err}}", err)
+	if r.IsBigqueryResource() {
+		var dataset Dataset
+		if err := h.doRequest(ctx, req, &dataset); err != nil {
+			return nil, errwrap.Wrapf("unable to get BigQuery Dataset ACL: {{err}}", err)
+		}
+		p = dataset.AsPolicy()
+	} else {
+		if err := h.doRequest(ctx, req, &p); err != nil {
+			return nil, errwrap.Wrapf("unable to get policy: {{err}}", err)
+		}
 	}
 	return &p, nil
 }
@@ -39,8 +47,16 @@ func (h *IamHandle) SetIamPolicy(ctx context.Context, r IamResource, p *Policy)
 		return nil, errwrap.Wrapf("unable to construct SetIamPolicy request: {{err}}", err)
 	}
 	var out Policy
-	if err := h.doRequest(ctx, req, &out); err != nil {
-		return nil, errwrap.Wrapf("unable to set policy: {{err}}", err)
+	if r.IsBigqueryResource() {
+		var dataset Dataset
+		if err := h.doRequest(ctx, req, &dataset); err != nil {
+			return nil, errwrap.Wrapf("unable to set BigQuery Dataset ACL: {{err}}", err)
+		}
+		out = dataset.AsPolicy()
+	} else {
+		if err := h.doRequest(ctx, req, &out); err != nil {
+			return nil, errwrap.Wrapf("unable to set policy: {{err}}", err)
+		}
 	}
 	return &out, nil
 }

diff --git a/plugin/iamutil/iam_resource.go b/plugin/iamutil/iam_resource.go
@@ -15,6 +15,7 @@ import (
 type IamResource interface {
 	GetIamPolicyRequest() (*http.Request, error)
 	SetIamPolicyRequest(*Policy) (req *http.Request, err error)
+	IsBigqueryResource() bool
 }
 
 // parsedIamResource implements IamResource.
@@ -61,11 +62,15 @@ type RestMethod struct {
 }
 
 func (r *parsedIamResource) SetIamPolicyRequest(p *Policy) (req *http.Request, err error) {
-	jsonP, err := json.Marshal(p)
+	var jsonP []byte
+	if r.IsBigqueryResource() {
+		jsonP, err = json.Marshal(p.AsDataset())
+	} else {
+		jsonP, err = json.Marshal(p)
+	}
 	if err != nil {
 		return nil, err
 	}
-
 	reqJson := fmt.Sprintf(r.config.SetMethod.RequestFormat, jsonP)
 	if !json.Valid([]byte(reqJson)) {
 		return nil, fmt.Errorf("request format from generated IAM config invalid JSON: %s", reqJson)

diff --git a/plugin/iamutil/iam_resource_parser_test.go b/plugin/iamutil/iam_resource_parser_test.go
@@ -183,6 +183,7 @@ func verifyHttpMethod(typeKey string, m *RestMethod) error {
 	case http.MethodGet:
 	case http.MethodPost:
 	case http.MethodPut:
+	case http.MethodPatch:
 		return nil
 	default:
 		return fmt.Errorf("unexpected HttpMethod %s", m.HttpMethod)