Connect to BigQuery
Credentials
DirectQuery delegates the credentials handling to a Google BigQuery Java client.
Service Account key file
A classic way to authenticate is to use a Service Account key file.
This consists in creating a Google Cloud service account with the correct permissions, save the secret key on your machine and use it.
There are 2 common ways to use this service account key file to the BigQuery Java client:
- Put the path to the key file in the
GOOGLE_APPLICATION_CREDENTIALS
environment variable. See Application Default Credentials. - Read the content of the key file and pass it to the client builder. See Loading credentials from a file.
Authenticate as user
Instead of a service account, it is also possible to use the credentials of a specific user using OAuth2 flow. This is a bit more advanced but can be achieved by following this guide.
Permissions
The service account or user used by DirectQuery must have the permissions to access the datasets and run jobs in BigQuery.
A simple way to achieve this is to give the BigQuery User and BigQuery Data Viewer roles to the user.
If this is too many permissions, you can also create a role with this minimal set of permissions:
bigquery.datasets.get
bigquery.jobs.create
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update
bigquery.routines.get
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list