Google BigQuery

The following steps enable users to connect Single Origin to Google BigQuery. Please note your BigQuery Project ID since it will appear multiple times in the setup process.

Service Account

Single Origin Connector

An admin will first need to set up a service account for a BigQuery project with the following privileges:

  • (required) Permissions to read metadata
    • bigquery.datasets.get
    • bigquery.datasets.getIamPolicy
    • bigquery.tables.get
    • bigquery.tables.getIamPolicy
    • bigquery.tables.list
  • (optional, but suggested) Additional permissions to read from query history/audit log tables
    • bigquery.jobs.create
    • bigquery.tables.getData

To do this, go into your BigQuery project and complete the following:

1. Create a role for Single Origin with the permissions required.

2. Create a service account called Single Origin Service.

Select the Single Origin Role we created earlier.

πŸ“˜

Note

If the data is in a bucket, then you might have to go into "Cloud Storage > Bucket" and add permissions:

  • Principals: β€œ[service account name]”
  • Role: β€œStorage Object View.”

4. Create a new key in Google Cloud Console.

Once the service account has been created,

  • Go into the newly created service account.
    • Go to the KEYS top tab > ADD KEY > Create new key > Choose JSON
    • Save the JSON in safe place, we will need the content of this file later in the set up.

Now return to Single Origin. Navigate to Mission Control > Single Origin Connectors > Big Query

Fill out using the JSON file content from earlier.

Personal Connector

To get the most out of Single Origin, personal connectors should be able to query data. You can connect your personal connector using Service Account or OAuth.

Service Account

If you would like to use a service account as a personal connector, then we suggest setting up the service account (see Service Account section for set-up instructions) with the following privileges:

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • storage.buckets.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.objects.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • resourcemanager.projects.get

πŸ“˜

Note

The project for the personal connector must be the same project as the Single Origin connector.

Once a service account has been set up to use as a Personal Connector, setup is the same as for the Single Origin Connector. Retrieve the JSON key file from BigQuery and fill out the information in Single Origin Mission Control > Personal Connectors

πŸ“˜

Note

To use OAuth instead of Service Account, the Admin must configure the OAuth integration.

OAuth Integration

To connect to the data system through OAuth, Admins must configure the required OAuth information so that other users can connect through OAuth.

πŸ“˜

Google Cloud Help

For more on OAuth, see Setting up OAuth 2.0 - Google Cloud Platform Console Help.

1. If you have not done so before, then first configure the consent screen & add scopes.

Choose Internal

Fill out the required fields

Click ADD OR REMOVE SCOPES, filter by BigQuery API, select the scopes to access data; see screenshot below.

2. Next, create new OAuth Credentials (Client ID) for Single Origin in your Google Cloud Console.

3. Fill out the following:

  • Application Type: Web Application
  • Name: Single Origin OAuth Client
  • One Authorized Javascript Origins: <https://{tenant}.singleorigin.tech>
    • Replace {tenant} with what is in your instance URL.
  • One Authorized Redirect URIs: <https://{tenant}.singleorigin.tech/api/connectors/oauth/bigquery>
    • Replace {tenant} with what is in your instance URL.
  • Save the Client ID and Client Secret for later

4. Now that you are set up in Google Cloud Console, return to Single Origin (<https://{tenant}.singleorigin.tech/mission-control/>).

Navigate to Mission Control > Single Origin Connectors > Create Connector Settings Copy and paste the following from Google Cloud into Single Origin:

  1. Client ID
  2. Client Secret

Once this is complete, Admins have configured the required OAuth information for any connector to use OAuth in addition to Service Account.

  1. Navigate to Mission Control > Single Origin > Personal Connectors
  2. Confirm the Name and the Project ID. Note that we use the Project ID associated with the Single Origin Connector.
  3. Click Authenticate with Google BigQuery

Issues

  • If you run into Error 400: redirect_uri_mismatch during OAuth integration
    • This may be caused by a misconfiguration of the URLs, please ensure the URL is pointing to the instance you're using by replacing the tenant with your own dedicated tenant.
      • One Authorized Javascript Origins: <https://{tenant}.singleorigin.tech>
      • One Authorized Redirect URIs:
        • <https://{tenant}.singleorigin.tech/api/connectors/oauth/bigquery>
  • Please reach out to [email protected] for any issues and we'll get right back to you.