Leverage user attributes for BigQuery access control

Goal - single layer for data access management

We’re using BigQuery and are interested in rolling out more fine-grained data access management.

We expect our users to have access to both the BigQuery console and Looker.

We are using the same GSuite SAML authentication for both Looker and BigQuery.

I’d like to be able to define access rules in BigQuery only, instead of needing to define them in both BigQuery and Looker (e.g. Angela can see financial data, but Dwight can’t).

Trying to solve

I see that username, password, schema, etc can be set to user attributes from this documentation: https://docs.looker.com/admin-options/settings/user-attributes#database_connections

BUT BigQuery uses a service account for authentication, so I don’t see those fields when configuring my BigQuery connection!

My understanding is that I can pass in “Additional Attributes” as a JDBC string, but it’s unclear how BigQuery will handle those, or what the correct form should be.

Question - how do I pass a user attribute through the BigQuery connection in Looker that will correctly identify the user and enforce access restrictions / policies as expected?