Dot
HomeLogin
  • Dot
    • What's Dot?
      • Getting started
      • Chat
      • Model
      • User Feedback
      • Permissions
      • API
      • Embed
    • Integrations
      • Snowflake
      • BigQuery
      • Redshift
      • AWS Athena
      • Databricks
      • Postgres
      • Microsoft SQL Server
      • MySQL / MariaDB
      • DuckDB
      • SAP HANA
      • Looker
      • dbt Semantic Layer
      • Slack
      • Microsoft Teams
      • Azure Active Directory
      • Okta
      • BI Tools
        • Tableau
        • Metabase
        • PowerBI (planned)
        • Sigma (planned)
        • Qlik (planned)
    • Security & Privacy
    • Support
Powered by GitBook
On this page
  • Prerequisites
  • 1 Create a service account
  • 2 Granting permissions
  • Allow Dot IPs
  1. Dot
  2. Integrations

BigQuery

PreviousSnowflakeNextRedshift

Last updated 5 months ago

Prerequisites

You’ll need to have a account with a you would like Dot to use. Consult the Google Cloud Platform documentation for how to . This project should have a BigQuery dataset for Dot to connect to.

1 Create a service account

Create a service account that you manage in your Google Cloud account. This account should be provisioned with the following read-only roles:

  • bigquery.dataViewer

  • bigquery.jobUser

  • bigquery.readSessionUser

You'll need to provide the service account's email, a , and the location of your BigQuery instance.

Create a service account step by step.
  1. Navigate to Service Accounts:

    • Go to the .

    • In the Navigation menu, select IAM & Admin > .

  2. Create a New Service Account:

    • Click on Create Service Account at the top.

    • Assign a Name and optional Description (e.g., dot-service-account for identification).

    • Click Create and Continue.

  3. Assign Required Roles:

    • In the Grant this service account access to project section, add the following roles:

      • BigQuery Data Viewer (roles/bigquery.dataViewer)

      • BigQuery Job User (roles/bigquery.jobUser)

      • BigQuery Read Session User (roles/bigquery.readSessionUser)

    • Click Continue to finalize the role assignments.

  4. Create a JSON Key:

    • Under Create key (optional), select JSON and click Create.

    • This downloads a JSON file with the service account credentials. Store this file securely; it contains sensitive information.

  5. Service Account Details Needed for Dot:

    • Service Account Email: Visible in the Email column on the Service Accounts page.

    • JSON Key: The file downloaded in step 4.

    • BigQuery Location: The regional or multi-regional setting for your BigQuery instance (e.g., us-central1). Find this in the BigQuery console under BigQuery > Settings.

2 Granting permissions

The service account also needs the appropriate read-only roles.

First, we'll create a custom role for Dot-related permissions and then bind it to the service account that you're using. We'll also bind read-only BigQuery roles to the service account.

A) Create a Dot custom role

gcloud iam roles create DotMonitor \
  --project={{PROJECT_ID}} \
  --title=DotMonitor \
  --description="Dot specific permissions" \
  --permissions=bigquery.jobs.listAll,bigquery.jobs.list

Note that the {{PROJECT_ID}} placeholder needs to be replaced with your project id.

B) Bind the custom role to a service account and apply read-only BQ roles

gcloud projects add-iam-policy-binding {{PROJECT_ID}} \
  --member="serviceAccount:{{SERVICE_ACCOUNT}}" \
  --role="projects/{{PROJECT_ID}}/roles/DotMonitor"

gcloud projects add-iam-policy-binding {{PROJECT_ID}} \
  --member="serviceAccount:{{SERVICE_ACCOUNT}}" \
  --role="roles/bigquery.dataViewer"

gcloud projects add-iam-policy-binding {{PROJECT_ID}} \
  --member="serviceAccount:{{SERVICE_ACCOUNT}}" \
  --role="roles/bigquery.jobUser"

gcloud projects add-iam-policy-binding {{PROJECT_ID}} \
  --member="serviceAccount:{{SERVICE_ACCOUNT}}" \
  --role="roles/bigquery.readSessionUser"

Note that the {{SERVICE_ACCOUNT}} and {{PROJECT_ID}} placeholders needs to be replaced with your service account and project id, respectively.

Example Values

  • PROJECT_ID: super-position-123456

  • SERVICE_ACCOUNT: dot-101@super-position-123456.iam.gserviceaccount.com

Allow Dot IPs

If your organization uses a network policy to manage BigQuery access, Dot will only access your BigQuery through the following IPs:

  • 3.229.110.216

  • 3.122.135.165

The easiest way to grant these roles is through the .

Google Cloud Platform
project
create and manage a project
JSON-formatted key
Google Cloud Console
Service Accounts
Google Cloud Shell