Skip to main content
camelAI Legacy Product — This documentation covers camelAI’s embedded analytics offering, which is no longer being actively developed. We are migrating existing customers to the new camelAI platform. For the current product, visit camelAI.
BigQuery doesn’t support dynamic session variables like PostgreSQL or ClickHouse. Instead, it uses row access policies based on the authenticated user’s identity. To implement per-user RLS with Camel, you’ll need to create separate connections with different credentials.
BigQuery RLS requires managing multiple service accounts or user credentials, which adds complexity compared to PostgreSQL and ClickHouse implementations.

How Camel Handles BigQuery RLS

Unlike PostgreSQL and ClickHouse where Camel sets a session variable for each query, BigQuery requires a different approach:
  • Service Account Authentication: Each connection uses a specific service account with its own credentials
  • Row Access Policies: BigQuery filters data based on the authenticated service account’s identity
  • Multiple Connections: You create separate Camel connections for different user groups or tenants
  • Query Routing: Camel routes queries to the appropriate connection based on the srcs parameter

Setting Up RLS

Step 1: Create Service Accounts

Create separate service accounts for each access level or tenant:

Step 2: Grant BigQuery Permissions

Step 3: Create Row Access Policies

Create policies that filter data based on the service account:

Step 4: Configure Camel Connections

In Camel, create a connection for each service account:
  1. Navigate to your data sources
  2. Add a new BigQuery connection
  3. Configure with service account credentials:
    • Name: bigquery_tenant_a
    • Service Account: Upload the tenant-key.json file
    • Project ID: Your GCP project ID
Repeat this process for each tenant or user group that needs separate access.

Complete Example: Multi-Tenant Setup

Let’s implement a multi-tenant system where different service accounts represent different tenants.

1. Create the Data Table

2. Create Service Accounts

3. Create Row Access Policies

4. Grant BigQuery Permissions

5. Configure Camel Connections

Set up the connections in Camel:
  1. Tenant A Connection:
    • Name: bigquery_tenant_a
    • Service Account: tenant-a-reader@project.iam.gserviceaccount.com
    • Key File: Upload tenant-a-key.json
  2. Tenant B Connection:
    • Name: bigquery_tenant_b
    • Service Account: tenant-b-reader@project.iam.gserviceaccount.com
    • Key File: Upload tenant-b-key.json

6. Use Tenant-Specific Connections

When creating an iframe, specify which data source to use based on the user’s tenant:

Testing Your Policies

Using BigQuery Console

Test your policies by impersonating different service accounts:

Verify Policy Application

Check which policies are applied to a table:

Troubleshooting

Common Issues

  1. “Access Denied” Errors:
    • Verify service account has BigQuery Data Viewer role
    • Check row access policy syntax
    • Ensure service account is included in GRANT TO clause
  2. All Data Visible:
    • Confirm row access policies are enabled on the table
    • Check if user has additional roles (e.g., Owner, Editor)
    • Verify FILTER USING clause logic
  3. No Data Returned:
    • Test the filter condition separately
    • Verify service account email matches policy
    • Check data exists matching the filter criteria

Learn More

For assistance with BigQuery RLS implementation, contact support@camelai.com.