Provision source system credentials

The following setup allows Alvin to access BigQuery metadata and query history, without ever reaching the underlying data.

1. Set up a service account using Cloud Console

First of all, create a new service account in a host project.

Think of a host project as any project that you use to store config or infrastructure setup. Use an easily recognisable name for the service account that relates to the Alvin setup such as: sa-alvin-bq-reader.

2. Grant metadata access roles to the service account

Go to the IAM page.

Read more about our metadata only access policy in the Security & compliance section. Just to remind โ€“ these roles will not access your data.

You have to grant metadata roles for ALL projects that you want to connect to Alvin. That means access to all projects that are being used for queries, but also ones that have metadata such as tables and user-defined functions.

If you already have an organization (see here) you can also add the service account at the organization level, which will avoid manual work and give access to all projects in your organization.

If you have a large organization with many projects, this is the recommended flow: you can choose projects to ignore in the connection setup later.

See more about BigQuery access control here.

For each project you wish to connect to Alvin, these roles should be set up for the Service Account:

If you prefer, you may instead use the GCloud CLI to automate this step:

Last updated