You’ll need to have a account with a you would like Dot to use. Consult the Google Cloud Platform documentation for how to . This project should have a BigQuery dataset for Dot to connect to.
1 Create a service account
Create a service account that you manage in your Google Cloud account. This account should be provisioned with the following read-only roles:
bigquery.dataViewer
bigquery.jobUser
bigquery.readSessionUser
You'll need to provide the service account's email, a , and the location of your BigQuery instance.
Create a service account step by step.
Navigate to Service Accounts:
Go to the .
In the Navigation menu, select IAM & Admin > .
Create a New Service Account:
Click on Create Service Account at the top.
Assign a Name and optional Description (e.g., dot-service-account for identification).
Click Create and Continue.
Assign Required Roles:
In the Grant this service account access to project section, add the following roles:
BigQuery Data Viewer (roles/bigquery.dataViewer)
BigQuery Job User (roles/bigquery.jobUser)
BigQuery Read Session User (roles/bigquery.readSessionUser)
Click Continue to finalize the role assignments.
Create a JSON Key:
Under Create key (optional), select JSON and click Create.
This downloads a JSON file with the service account credentials. Store this file securely; it contains sensitive information.
Service Account Details Needed for Dot:
Service Account Email: Visible in the Email column on the Service Accounts page.
JSON Key: The file downloaded in step 4.
BigQuery Location: The regional or multi-regional setting for your BigQuery instance (e.g., us-central1). Find this in the BigQuery console under BigQuery > Settings.
2 Granting permissions
The service account also needs the appropriate read-only roles.
First, we'll create a custom role for Dot-related permissions and then bind it to the service account that you're using. We'll also bind read-only BigQuery roles to the service account.
A) Create a Dot custom role
gcloud iam roles create DotMonitor \
--project={{PROJECT_ID}} \
--title=DotMonitor \
--description="Dot specific permissions" \
--permissions=bigquery.jobs.listAll,bigquery.jobs.list
Note that the {{PROJECT_ID}} placeholder needs to be replaced with your project id.
B) Bind the custom role to a service account and apply read-only BQ roles