Make sure the BigQuery project has the correct API enabled
Create a working schema
Create a dedicated service account with the right set of permissions
Generate a credentials JSON file
1. Enable Cloud Resource Manager API
In the Google Cloud Console, navigate to the APIs & Services > Library page.
In the search bar, type "Cloud Resource Manager API".
Click on the search result for the Cloud Resource Manager API and click the Enable button
2. Create a working schema
If you wish to use a synchronization strategy that handles updates and deletes of data, you will need a working schema. In that case, you should create a dedicated dataset in your project. You can use the following query:
Input the necessary informations : service account name, service account id (automatically generated), description. Click on “Create and continue”
Grant access
We recommend giving the service account Read only access to your data by giving the following roles at the project level :
bigquery.jobUser
bigquery.dataViewer
In addition, if applicable, the service account should also have the following role only on the working schema :
bigquery.dataEditor
Grant limited access
If you do not want to give the bigquery.dataViewer role at the project level, you can assign it only to specific datasets, tables or views in your project. If you do that then you should add the following permissions at the project level :
bigquery.datasets.get
bigquery.tables.list
bigquery.tables.get
To assign these customs permissions you should create a custom role than carries the bigquery.jobUser role and the bigquery.datasets.getbigquery.tables.listbigquery.tables.getpermissions.
If the bigquery.dataViewer role is even too much, you can assign the bigquery.tables.getData permission at a table level only.
4. Generate a credentials JSON file
To export a credentials JSON file follow these steps :
