chore: relax adding objectUser role in blob creation (#1593)

Co-authored-by: Huan Chen <142538604+Genesis929@users.noreply.github.com>

Author: GarrettWu

bigframes/clients.py

@@ -86,7 +86,11 @@ def __init__(
  self._cloud_resource_manager_client = cloud_resource_manager_client
 
  def create_bq_connection(
- self, project_id: str, location: str, connection_id: str, iam_role: str
+ self,
+ project_id: str,
+ location: str,
+ connection_id: str,
+ iam_role: Optional[str] = None,
  ):
  """Create the BQ connection if not exist. In addition, try to add the IAM role to the connection to ensure required permissions.
 
@@ -119,11 +123,12 @@ def create_bq_connection(
 
  # Ensure IAM role on the BQ connection
  # https://cloud.google.com/bigquery/docs/reference/standard-sql/remote-functions#grant_permission_on_function
- try:
- self._ensure_iam_binding(project_id, service_account_id, iam_role)
- except google.api_core.exceptions.PermissionDenied as ex:
- ex.message = f"Failed ensuring IAM binding (role={iam_role}, service-account={service_account_id}). {ex.message}"
- raise
+ if iam_role:
+ try:
+ self._ensure_iam_binding(project_id, service_account_id, iam_role)
+ except google.api_core.exceptions.PermissionDenied as ex:
+ ex.message = f"Failed ensuring IAM binding (role={iam_role}, service-account={service_account_id}). {ex.message}"
+ raise
 
  # Introduce retries to accommodate transient errors like:
  # (1) Etag mismatch,

bigframes/operations/strings.py

@@ -305,9 +305,7 @@ def to_blob(self, connection: Optional[str] = None) -> series.Series:
  raise NotImplementedError()
 
  session = self._block.session
- connection = session._create_bq_connection(
- connection=connection, iam_role="storage.objectUser"
- )
+ connection = session._create_bq_connection(connection=connection)
  return self._apply_binary_op(connection, ops.obj_make_ref_op)
 
 

bigframes/session/__init__.py

@@ -1833,7 +1833,10 @@ def from_glob_path(
  return s.rename(name).to_frame()
 
  def _create_bq_connection(
- self, iam_role: str, *, connection: Optional[str] = None
+ self,
+ *,
+ connection: Optional[str] = None,
+ iam_role: Optional[str] = None,
  ) -> str:
  """Create the connection with the session settings and try to attach iam role to the connection SA.
  If any of project, location or connection isn't specified, use the session defaults. Returns fully-qualified connection name."""