Create a service account
To create a service account in BigQuery, follow the detailed steps in Google Cloud's Creating and managing service account keys.
Create a custom role
To create a custom role, follow the detailed steps in Google Cloud's Creating a custom role.
To add permissions to the custom role, in the Add permissions dialog, click the Enter property name or value filter and add the following permissions.
For metadata crawling (required)
To configure permissions for crawling metadata, add the following permissions to the role:
bigquery.datasets.get
allows Atlan to retrieve metadata about a dataset.bigquery.datasets.getIamPolicy
allows Atlan to read a dataset's IAM permissions.bigquery.jobs.create
allows Atlan to run jobs (including queries) within the project.π¨ Careful! Without this, Atlan can't query the source.bigquery.routines.get
allows Atlan to retrieve routine definitions and metadata.bigquery.routines.list
allows Atlan to list routines and metadata on routines.bigquery.tables.get
allows Atlan to retrieve table metadata.bigquery.tables.getIamPolicy
allows Atlan to read a table's IAM policy.bigquery.tables.list
allows Atlan to list tables and metadata on tables.bigquery.readsessions.create
allows Atlan to create a session to stream large results.bigquery.readsessions.getData
allows Atlan to retrieve data from the session.bigquery.readsessions.update
allows Atlan to cancel the session.resourcemanager.projects.get
allows Atlan to retrieve project names and metadata.
To add data preview and querying (optional)
To configure permissions for previewing and querying data, add the following permissions to the role:
bigquery.tables.getData
allows Atlan to retrieve table data.π¨ Careful! This permission is also required for retrieving metadata such as the row count and update time of a table.bigquery.jobs.get
allows Atlan to retrieve data and metadata on any job, including queries.bigquery.jobs.listAll
allows Atlan to list all jobs and retrieve metadata on any job submitted by any user.bigquery.jobs.update
allows Atlan to cancel any job, including a running query.
To add query history mining (optional)
To configure permissions for mining query history, add the following permissions to the role:
bigquery.jobs.listAll
allows Atlan to fetch all queries for a project.
Add your custom role to your service account
To add your custom role to your service account, follow the detailed steps in Google Cloud's Grant or revoke a single role.