# CreateCREATEROW ACCESS POLICY apac_filterON project.dataset.my_tableGRANTTO ('user:abc@example.com')FILTERUSING (region ='APAC');# UpdateCREATEORREPLACEROW ACCESS POLICYCREATEROW ACCESS POLICY sales_us_filterON project.dataset.my_tableGRANTTO ('user:john@example.com','group:sales-us@example.com','group:sales-managers@example.com')FILTERUSING (region ='US');# Check the Post Exploitation tricks to see how tocall this from the cli
# Enumerate row policies on a tablebqls--row_access_policies<proj>:<dataset>.<table># Get row policies
# Dataset infobqls# List datasetsbqls-a# List all datasets (even hidden)bqls<proj>:<dataset># List tables in a datasetbqshow--format=prettyjson<proj>:<dataset># Get info about the dataset (like ACLs)# Tables infobqshow--format=prettyjson<proj>:<dataset>.<table># Get table infobqshow--schema<proj>:<dataset>.<table># Get schema of a table# Get entries from the tablebqhead<dataset>.<table>bqquery--nouse_legacy_sql'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'bqextract<dataset>.<table>"gs://<bucket>/table*.csv"# Use the * so it can dump everything in different files# Insert databqquery--nouse_legacy_sql'INSERT INTO `digital-bonfire-410512.importeddataset.tabletest` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'bqinsertdataset.table/tmp/mydata.json# Get permissionsbqget-iam-policy<proj>:<dataset># Get dataset IAM policybqshow--format=prettyjson<proj>:<dataset># Get dataset ACLsbqget-iam-policy<proj>:<dataset>.<table># Get table IAM policybqls--row_access_policies<proj>:<dataset>.<table># Get row policies# Taxonomies (Get the IDs from the shemas of the tables)gclouddata-catalogtaxonomiesdescribe<taxonomi-ID>--location=<location>gclouddata-catalogtaxonomieslist--location<location>#Find moregclouddata-catalogtaxonomiesget-iam-policy<taxonomi-ID>--location=<location># Get jobs executedbqls--jobs=true--all=truebqshow--location=<location>show--format=prettyjson--job=true<job-id># Miscbqshow--encryption_service_account# Get encryption service account