To use Data Catalog, you must enable the Data Catalog API in a Google Cloud project that contains the resources you will create in Data Catalog or access in other Google Cloud systems with the API. We refer to this project as the Data Catalog "resource project".
In the common case, if you have only one project, you only need to enable the Data Catalog API in it to access all the resources it contains. The Data Catalog quickstart is an example of the creation of a project that has the Data Catalog API enabled and contains a BigQuery table you access as well as a Data Catalog tag template and tag.
Using tag templates in multiple projects
Everything in Google Cloud lives in a project, including your tag
templates. However, you can use tag templates from one project to create tags in
another if you authorize the other project to use the templates.
To do this, use the TagTemplate Owner, Creator, User, and Viewer IAM
roles.
For example: If project A grants the TagTemplate User role to a service
account owned by project B, this authorizes project B to create tags using its
templates. Project A can also authorize the same service account to modify the
created tags using the Tag Editor role.
If project A does not authorize project B, project B cannot tag its own data resources using project A's tag templates—it must create its own templates.
Best practice: Create templates in a central project if they are relevant to more than one project. Also, your data governance team should own the shared tag templates and maintain them on behalf of the organization.
Identifying the Data Catalog resource project
The following table lists Data Catalog APIs and the associated resource project(s) where Data Catalog API must be enabled.
| Data Catalog APIs | Resource project | Notes |
|---|---|---|
| get/lookup/search | service account project | If the X-Goog-User-Project is specified in the HTTP/gRPC Header, also enable the Data Catalog API in the user project to enable quota and billing against the X-Goog-User-Project instead of the service account. |
| create/update/delete | project identified by the /project-id/ in the API request resource parameter |
Exceptions: see createTag/updateTag/deleteTag in the next row. |
| createTag/updateTag/deleteTag | tag template container project | Since the Data Catalog API was enabled in tag template container project when the template was created, no further action is needed to call these APIs. Note: The project identified by the parent parameter for the tag and the tag template used to create the tag must be from the same organization. |
Notes:
service account project: the project in which you have generated service account credentials to authenticate your application code.resource parameter: the parameter passed in the API request that identifies the resource associated with the request (for example, seeproject-idin the tagTemplates.createparentparameter).