This scenario describes a standard cross-project resource sharing pattern on Google Cloud. The most secure and manageable approach is for the entity requiring access (the partner) to create and manage their own identity. The partner creates a service account in their project, which they control. They then provide the service account's unique email address to you. As the owner of the BigQuery dataset, you grant the necessary IAM role (e.g., BigQuery Data Viewer) to that specific service account on your dataset. This adheres to the principle of least privilege and proper separation of concerns, where each party manages their own resources and identities.

A. Creating the service account in your project requires you to manage its lifecycle and securely share its credentials (keys) with the partner, which is a security risk and an anti-pattern.

B. This is illogical. The service account needs access to the BigQuery dataset in your project, not to resources in the partner's project.

C. The partner granting their service account access to their own project does not confer any permissions to access resources, like your dataset, in a different project.

1. Google Cloud Documentation

BigQuery

"Control access to datasets": In the section "Grant access to a dataset

" the procedure describes adding a "principal" to the dataset's IAM policy. A principal can be a "service account

" and its email address format ([email protected]) inherently allows for granting access to a service account from a different project. This document outlines the exact procedure described in the correct answer.

2. Google Cloud Documentation

IAM

"Overview of IAM": This document explains the core IAM concepts. It defines a "principal" as an identity that can be granted access to a resource. It states

"A principal can be a Google Account... a service account

a Google group

or a Google Workspace... that needs access to a Google Cloud resource." This confirms that a service account from the partner's project is a valid principal to which you can grant access.

3. Google Cloud Documentation

IAM

"Service accounts overview": This page clarifies that "Service accounts are principals in IAM policies" and are "identified by their email address

which is unique to the account." This supports the method of the partner providing their unique service account email for you to add to your dataset's IAM policy.