Google BigQuery

The following steps enable users to connect Single Origin to Google BigQuery. Please note your Big Query Project ID since it will appear multiple times in the setup process.

Service Account

An admin will first need to setup a service account for a single BigQuery project with the following privileges:

  • (required) Permissions to read metadata
    • bigquery.datasets.get
    • bigquery.datasets.getIamPolicy
    • bigquery.tables.get
    • bigquery.tables.getIamPolicy
    • bigquery.tables.list
  • (optional, but suggested) Additional permissions to read from query history/audit log tables
    • bigquery.jobs.create
    • bigquery.tables.getData

To do this, go into your BigQuery project and complete the following:

  1. Create a role for Single Origin with the permissions required.

  1. Create a service account called Single Origin Service.

πŸ“˜

Note

If the data is in a bucket, then you might have to go into "Cloud Storage > Bucket" and add permissions:

  • Principals: β€œ[service account name]”
  • Role: β€œStorage Object View.”
  1. Grant the service account the role.

  1. Once the service account is setup for the project, create a new key in Google Cloud Console.

Now return to the Single Origin site. Navigate to "Mission Control > Single Origin Connectors", add a new connector of type Big Query service account, and paste the JSON key content into the Single Origin Connector configuration:

Personal Connector

To get the most out Single Origin personal connectors should be able to query data. If you would like to use a service account as a personal connector, then we suggest setting up the service account with the following privileges:

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • storage.buckets.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.objects.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • resourcemanager.projects.get

πŸ“˜

Note

The project for the personal connector should be the same project as the Single Origin connector.

One a service account has been setup to use as a Personal Connector, setup is the same as for the Single Origin Connector: create a new key in Google Cloud, navigate to "Mission Control > Personal Connectors", add a new connector of type Big query service account, and paste the JSON key content into the Personal Connector configuration.

OAuth Integration

To connect to the data system through OAuth, Admins must configure the required OAuth information so that other users can connect through OAuth.

πŸ“˜

Google Cloud Help

For more on OAuth, see Setting up OAuth 2.0 - Google Cloud Platform Console Help.

  1. If you have not done so before, then first configure the consent screen & add scopes.

  1. Next, create new OAuth Credentials (Client ID) for Single Origin in your Google Cloud Console.

  1. Fill out the following:
  1. Now that you are setup in Google Cloud Console, return to Single Origin (https://{tenant}.singleorigin.tech). Navigate to "Mission Control > Single Origin Connectors > Connector Settings." Copy and paste the Client ID and Client Secret from Google Cloud into Single Origin.

Once this is complete, Admins have configured the required OAuth information to:

  • setup a Single Origin Connector, as well as
  • allow users to setup Personal Connectors with OAuth.

First, the admin should setup a Single Origin Connector of type Big query oauth with connector settings setup above. After this, any user that would like to setup a personal connector simply needs to:

  1. Navigate to "Mission Control > Personal Connectors"
  2. Click "New"
  3. Select type of Big query oauth
  4. Input a Name and the Project ID
  5. Click "Authenticate with Google BigQuery."


Did this page help you?