Connecting BigQuery
Connect Google BigQuery to FreshGuard for monitoring.
BigQuery is available on all plans, including Free. Free+
Connection Fields
| Field | Description | Example |
|---|---|---|
| Project ID | Your GCP project ID | my-company-analytics |
| Service Account JSON | Service account key file contents | JSON key |
Setup Steps
- In the FreshGuard dashboard, go to Sources and click Add Source.
- Select BigQuery.
- Enter your GCP Project ID.
- Paste the contents of your service account JSON key file.
- Click Test Connection to verify access.
- Save.
Info
Don’t have a service account yet? Follow the BigQuery: Read-Only Service Account guide to create one with minimal permissions.
Required Permissions
The service account needs two IAM roles:
- BigQuery Data Viewer (
roles/bigquery.dataViewer) — Read access to tables and views. - BigQuery Job User (
roles/bigquery.jobUser) — Permission to run queries (required for freshness checks).
These roles should be granted at the project level so FreshGuard can access all datasets in the project, or at the dataset level if you want to restrict access to specific datasets.
Warning
Do not grant the BigQuery Admin or BigQuery Data Editor roles. FreshGuard only needs read access.
How FreshGuard Queries BigQuery
FreshGuard runs lightweight queries against your tables to determine freshness. For example, a freshness check might run:
SELECT MAX(updated_at) FROM `project.dataset.table`These queries scan only the timestamp column, so costs are minimal — typically fractions of a cent per check.
Common Issues
Permission Denied
- Verify the service account has
BigQuery Data ViewerandBigQuery Job Userroles. - Confirm the roles are granted on the correct project.
- If using dataset-level permissions, ensure every dataset you want to monitor has the roles applied.
Invalid JSON Key
- Ensure you’re pasting the full contents of the JSON key file, not just a portion.
- The key should start with
{"type": "service_account"and containprivate_key,client_email, and other fields.