Connect Single Origin to BigQuery
Single Origin reads metadata only from your BigQuery environment — dataset, table, view, model, and routine schemas plus job and reservation information. It never reads your actual table data.
You now connect Single Origin by granting our service account read-only access to your project's metadata. The whole setup takes a few minutes and nothing leaves your environment.
What you're granting
You'll assign two predefined IAM roles to the Single Origin service account:
| Role | Role ID | What it allows |
|---|---|---|
BigQuery Metadata Viwer | roles/bigquery.metadataViewer | Read schemas and metadata for datasets, tables, views, models, and routines. Does not grant access to the data inside your tables. |
BigQuery Resource Viwer | roles/bigquery.resourceViewer | Read job, reservation, and configuration metadata across the project. |
Neither role includes bigquery.tables.getData or any other data-read permission, so Single Origin can see the structure of your warehouse but never the contents of your rows.
Before you start
-
You'll need:
- A user account with permission to manage IAM on the project (the Owner or IAM Admin role).
The Single Origin service account email:
single-origin-reader@<SINGLE_ORIGIN_PROJECT>.iam.gserviceaccount.com
Replace this with the exact service account address provided in your onboarding email. Copy it verbatim — IAM principals are case-sensitive.
- Your BigQuery project ID (shown as
<YOUR_PROJECT_ID>below).
- A user account with permission to manage IAM on the project (the Owner or IAM Admin role).
Option 1 — Google Cloud Console
- Open the IAM page and select the project you want Single Origin to read.
- Click Grant access.
- In New principals, paste the Single Origin service account email.
- Under Assign roles, add the first role: search for BigQuery Metadata Viewer and select it.
- Click Add another role and add BigQuery Resource Viewer.
- Click Save.
The Single Origin service account now appears in your IAM list with both roles.
Option 2 — gcloud CLI
Run both commands, replacing the placeholders with your values:
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
--member="serviceAccount:single-origin-reader@<SINGLE_ORIGIN_PROJECT>.iam.gserviceaccount.com" \
--role="roles/bigquery.metadataViewer"
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
--member="serviceAccount:single-origin-reader@<SINGLE_ORIGIN_PROJECT>.iam.gserviceaccount.com" \
--role="roles/bigquery.resourceViewer"
Option 3 — Terraform
locals {
single_origin_member = "serviceAccount:single-origin-reader@<SINGLE_ORIGIN_PROJECT>.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "single_origin_metadata_viewer" {
project = "<YOUR_PROJECT_ID>"
role = "roles/bigquery.metadataViewer"
member = local.single_origin_member
}
resource "google_project_iam_member" "single_origin_resource_viewer" {
project = "<YOUR_PROJECT_ID>"
role = "roles/bigquery.resourceViewer"
member = local.single_origin_member
}
Finish up
Once the roles are assigned, let your Single Origin contact know (or confirm in the onboarding flow) and share your project ID. We'll verify the connection and begin reading metadata — no further action needed on your side.
Revoking access
You can remove Single Origin's access at any time from the IAM page by deleting the two role bindings for the service account, or via gcloud:
gcloud projects remove-iam-policy-binding <YOUR_PROJECT_ID> \
--member="serviceAccount:single-origin-reader@<SINGLE_ORIGIN_PROJECT>.iam.gserviceaccount.com" \
--role="roles/bigquery.metadataViewer"
gcloud projects remove-iam-policy-binding <YOUR_PROJECT_ID> \
--member="serviceAccount:single-origin-reader@<SINGLE_ORIGIN_PROJECT>.iam.gserviceaccount.com" \
--role="roles/bigquery.resourceViewer"Updated 1 day ago