Provision source system credentials
The following setup allows Alvin to access BigQuery metadata and query history, without ever reaching the underlying data.
Last updated
The following setup allows Alvin to access BigQuery metadata and query history, without ever reaching the underlying data.
Last updated
First of all, create a new service account in a host project.
Think of a host project as any project that you use to store config or infrastructure setup. Use an easily recognisable name for the service account that relates to the Alvin setup such as: sa-alvin-bq-reader.
Go to the IAM page.
Read more about our metadata only access policy in the Security & compliance section. Just to remind – these roles will not access your data.
You have to grant metadata roles for ALL projects that you want to connect to Alvin. That means access to all projects that are being used for queries, but also ones that have metadata such as tables and user-defined functions.
If you already have an organization (see here) you can also add the service account at the organization level, which will avoid manual work and give access to all projects in your organization.
If you have a large organization with many projects, this is the recommended flow: you can choose projects to ignore in the connection setup later.
See more about BigQuery access control here.
For each project you wish to connect to Alvin, these roles should be set up for the Service Account:
If you prefer, you may instead use the GCloud CLI to automate this step:
BigQuery can automatically generate some recommendations such as clustering, partitioning tables and creating materialised views, to allow Alvin to extract those and map the potential costs savings correlating with other recommendations, add the following permissions:
BigQuery Partitioning Clustering Recommender Viewer
BigQuery Recommender Project Viewer
BigQuery Materialized View Recommender Viewer
BigQuery Slot Recommender Viewer
If your organization restricts BigQuery access to a specific set of IP addresses using VPC Service Controls, Alvin will only access your BigQuery through the following IP, add it to your perimeter allowed IP addresses list: 34.159.141.113
