LogoLogo
  • Introduction
    • Overview
    • Why Alvin?
    • Connect your systems
      • Data Warehouse
        • BigQuery
          • Provision source system credentials
          • Provision with GCloud CLI
        • Snowflake
        • Databricks
      • Business Intelligence
        • Looker
      • Orchestration
        • dbt
      • SSO (Single Sign-On)
    • Security & compliance
    • Types of metadata
    • FAQ
  • Cost Monitoring
    • Introduction to Cost Monitoring
    • Compute
    • Storage
  • BI Query Optimizer
    • Introduction to Query Optimizer
    • How does it work?
    • Getting started
  • Workflow automation
    • Introduction to Workflow Automation
    • Events definitions
    • Configuring Workflows
  • Anomaly Detection
    • Anomaly Detection
  • Exploring Metadata
    • Lineage
      • Depth of lineage
    • Impact Analysis
    • Entities
    • Entity View
    • Metadata Warehouse
Powered by GitBook
On this page
  • 1. Set up a service account using Cloud Console
  • 2. Grant metadata access roles to the service account
  • 3. Additional recommendations permissions (Optional)
  • 4. Whitelist Alvin IP (Optional)
  1. Introduction
  2. Connect your systems
  3. Data Warehouse
  4. BigQuery

Provision source system credentials

The following setup allows Alvin to access BigQuery metadata and query history, without ever reaching the underlying data.

PreviousBigQueryNextProvision with GCloud CLI

Last updated 5 months ago

1. Set up a service account using Cloud Console

First of all, .

Think of a host project as any project that you use to store config or infrastructure setup. Use an easily recognisable name for the service account that relates to the Alvin setup such as: sa-alvin-bq-reader.

2. Grant metadata access roles to the service account

Go to the .

Read more about our metadata only access policy in the Security & compliance section. Just to remind – these roles will not access your data.

You have to grant metadata roles for ALL projects that you want to connect to Alvin. That means access to all projects that are being used for queries, but also ones that have metadata such as tables and user-defined functions.

If you already have an organization (see ) you can also add the service account at the organization level, which will avoid manual work and give access to all projects in your organization.

If you have a large organization with many projects, this is the recommended flow: you can choose projects to ignore in the connection setup later.

See more about BigQuery access control .

For each project you wish to connect to Alvin, these roles should be set up for the Service Account:

Service Account created with metadata permissions

If you prefer, you may instead use the GCloud CLI to automate this step:

3. Additional recommendations permissions (Optional)

BigQuery can automatically generate some recommendations such as clustering, partitioning tables and creating materialised views, to allow Alvin to extract those and map the potential costs savings correlating with other recommendations, add the following permissions:

  • BigQuery Partitioning Clustering Recommender Viewer

  • BigQuery Recommender Project Viewer

  • BigQuery Materialized View Recommender Viewer

  • BigQuery Slot Recommender Viewer

4. Whitelist Alvin IP (Optional)

If your organization restricts BigQuery access to a specific set of IP addresses using , Alvin will only access your BigQuery through the following IP, add it to your perimeter allowed IP addresses list: 34.159.141.113

Provision with GCloud CLI
VPC Service Controls
create a new service account in a host project
IAM page
here
here