# BigQuery ## Steps 1. Make sure the BigQuery project has the correct API enabled 2. Create a working schema 3. Create a dedicated service account with the right set of permissions 4. Generate a credentials JSON file ### 1. Enable Cloud Resource Manager API * In the Google Cloud Console, navigate to the APIs & Services > Library page. * In the search bar, type "Cloud Resource Manager API". * Click on the search result for the Cloud Resource Manager API and click the Enable button ### 2. Create a working schema If you wish to use a synchronization strategy that handles updates and deletes of data, you will need a [working schema](https://developer.mediarithmics.io/data-streams/data-warehouse/preliminary-setup/..#working-schema). In that case, you should create a dedicated dataset in your project. You can use the following query: ```sql CREATE SCHEMA IF NOT EXISTS `project-name.mediarithmics_dataset` OPTIONS ( location = 'EU', description = 'Working schema mediarithmics' ); ``` ### 3. Service account creation and permissions We recommend using a dedicated service account with the appropriate set of permissions. To create a service account follow these steps : * Go to * Select you project * Click on “Create service account”

* Input the necessary informations : service account name, service account id (automatically generated), description. Click on “Create and continue”

#### Grant access * We recommend giving the service account Read only access to your data by giving the following roles at the **project level** : * `bigquery.jobUser` * `bigquery.dataViewer` * In addition, if applicable, the service account should also have the following role **only on the working schema :** * `bigquery.dataEditor` {% hint style="info" %} #### Grant limited access If you do not want to give the `bigquery.dataViewer` role at the project level, you can assign it only to specific datasets, tables or views in your project. If you do that then you should add the following permissions at the **project** level : * `bigquery.datasets.get` * `bigquery.tables.list` * `bigquery.tables.get` To assign these customs permissions you should create a [custom role](https://cloud.google.com/iam/docs/creating-custom-roles#creating) than carries the `bigquery.jobUser` role and the `bigquery.datasets.get` `bigquery.tables.list` `bigquery.tables.get` permissions. If the `bigquery.dataViewer` role is even too much, you can assign the `bigquery.tables.getData` permission at a table level only. {% endhint %} ### 4. Generate a credentials JSON file To export a credentials JSON file follow these steps : * Go to * Select you project * Select your service account and on the “…” menu select “Manage keys” * Then click on “Add key”>”Create new key”

* Select JSON then “Create” * The key is automatically downloaded {% hint style="warning" %} Note you need to have at least the `roles/iam.serviceAccountKeyAdmin` role to perform these actions {% endhint %}