Skip to main content
Navigation

BigQuery: Read-Only Service Account

Create a minimal-privilege GCP service account for FreshGuard.

This guide covers creating a GCP service account with the minimum permissions FreshGuard needs to monitor your BigQuery tables.

Option 1: GCP Console

Create the Service Account

  1. Open the GCP Console and select your project.
  2. Navigate to IAM & Admin > Service Accounts.
  3. Click Create Service Account.
  4. Name it freshguard-reader (or similar) and give it a description like “Read-only access for FreshGuard monitoring”.
  5. Click Create and Continue.

Assign Roles

On the “Grant this service account access to project” step, add two roles:

  • BigQuery Data Viewer (roles/bigquery.dataViewer) — Allows reading table data and metadata.
  • BigQuery Job User (roles/bigquery.jobUser) — Allows running queries (required for freshness checks).

Click Continue, then Done.

Warning

Do not grant BigQuery Data Editor, BigQuery Admin, or any write-level roles. FreshGuard only needs read access.

Create a JSON Key

  1. Click on the service account you just created.
  2. Go to the Keys tab.
  3. Click Add Key > Create New Key.
  4. Select JSON format.
  5. Click Create — the key file will download automatically.

Store this file securely. You’ll paste its contents into FreshGuard when connecting BigQuery.

Option 2: gcloud CLI

If you prefer the command line:

Terminal window
# Set your project
gcloud config set project YOUR_PROJECT_ID


# Create the service account
gcloud iam service-accounts create freshguard-reader \
  --display-name="FreshGuard Reader" \
  --description="Read-only access for FreshGuard monitoring"


# Grant BigQuery Data Viewer
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:freshguard-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataViewer"


# Grant BigQuery Job User
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:freshguard-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.jobUser"


# Create and download the JSON key
gcloud iam service-accounts keys create freshguard-key.json \
  --iam-account=freshguard-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com

Replace YOUR_PROJECT_ID with your actual GCP project ID.

Dataset-Level Permissions

If you want to restrict FreshGuard to specific datasets instead of the entire project, grant roles at the dataset level:

  1. Open BigQuery in the GCP Console.
  2. Click on the dataset you want to monitor.
  3. Click Sharing > Permissions.
  4. Add the service account email and assign BigQuery Data Viewer.

Repeat for each dataset. Note that BigQuery Job User still needs to be granted at the project level — it cannot be scoped to a dataset.

Tip

After creating the key file, paste its full contents into the “Service Account JSON” field when connecting BigQuery in FreshGuard.