Skip to main content
This connection relies on two service accounts. You create a service account in your own GCP project that holds the BigQuery read permissions described below. Our service account is then granted permission to impersonate yours using short-lived tokens. As a result, no private key is ever shared, every action appears in your own audit logs, and you can revoke access at any time through your IAM settings.
The recommended authentication method, service account impersonation, is covered in Step 3. If your policy requires a different approach, that step also describes how to use a service account key.

Step 1: Create a service account

1

Open the Service Accounts menu

In the GCP console, in the same project as your BigQuery data, navigate to the IAM & Admin menu, open the Service Accounts tab, and click Create service account.
Create service account menu
2

Name the service account

Give the service account a descriptive name and click Create and Continue.
Service account name options
3

Grant the BigQuery User role

Grant the new service account the BigQuery User role. This allows it to run the read queries that extract your data.
Grant BigQuery User role
4

Finish and note the email

Click Done to finish creating the account. Open the service account in the list and make a note of its email, which looks like service-account-name@project-id.iam.gserviceaccount.com. You will provide this email in Step 5.

Step 2: Grant read access to the source dataset

1

Open the dataset sharing settings

In BigQuery, click on the dataset you want to read from. In the menu on the right, click Sharing and then click Permissions.
BigQuery dataset sharing permissions
2

Add the service account as a principal

Click Add Principal.
BigQuery add principal
3

Grant the BigQuery Data Viewer role

Add the service account you created in Step 1, grant it the BigQuery Data Viewer role, and click Save.
BigQuery Data Viewer role

Step 3: Authorize authentication

Choose the authentication method that fits your security policy. Service account impersonation is recommended because it avoids sharing any long-lived credentials.

Step 4: Find your Project ID and data location

1

Find the Project ID

In the Google Cloud console, open the projects list dropdown and make a note of your BigQuery Project ID.
GCP Project ID
2

Find the data location

Open your source dataset in BigQuery and make a note of its Data location, such as us or us-central1. You will provide this value as the region in Step 5.
This connection supports Google Cloud organization policies that restrict identities by domain. If your organization enforces domain-restricted sharing, you can add our principal to your allow list following Google’s guidance on restricting identities by domain. Contact your account representative for the customer ID to add.

Step 5: Submit your connection details

Provide the following details to complete the source setup:
  1. The name is a descriptive name of the source.
  2. The Project ID from Step 4.
  3. The region (the data location) from Step 4.
  4. The authentication credentials from Step 3:
    • If using impersonation: the service account email from Step 1.
    • If using a service account key: the service account email from Step 1 and the JSON key you downloaded.