Skip to main content

Linking BigQuery as a Source

This guide walks through connecting a Google BigQuery project to Actioneer. By the end, Actioneer will be able to query the tables in your specified dataset.
  
  Prerequisites  Google Cloud project with BigQuery enabled, Actioneer account
  Access granted  SELECT queries on specified tables
  Estimated time  ~15 minutes
Actioneer cannot insert, update, delete, or modify any data, tables, or schemas in your BigQuery project.
1

Locate your GCP Project ID and Dataset ID

Two identifiers are required before configuring the connection. Both are available in the Google Cloud Console.
  1. Sign in at console.cloud.google.com.
  2. Open the project selector in the top-left corner. Copy the Project ID (e.g., gc-prod-459709). This is case-sensitive and differs from the project display name.
  3. In the left sidebar, open BigQuery. Expand your project in the Explorer panel and locate the dataset Actioneer should query. Note the exact Dataset ID (e.g., analytics_data). Also case-sensitive.
  Field  Location  Value Example
  GCP Project ID  Project selector, top-left  gc-prod-459709
  Dataset ID  BigQuery Explorer panel  analytics_data
2

Create a service account and grant BigQuery roles

Actioneer authenticates using a GCP service account JSON key that you create and upload. This keeps credentials under your control.Create the service account
  1. Open IAM & Admin → Service Accounts.
  2. Click Create Service Account.
  3. Name it something clear (e.g., actioneer-bigquery-reader). Click Create and Continue.
  4. Assign the following role at the project level:
  Role  Role ID  Scope  Purpose
  BigQuery Job User  roles/bigquery.jobUser  Project  Run query jobs
  1. Click Continue, then Done.
Grant dataset-level read accessAfter creating the service account, grant it read access on the specific dataset Actioneer should query. This follows the principle of least privilege — the service account can only read the datasets you explicitly authorize.
  1. In the Google Cloud Console, open BigQuery.
  2. In the Explorer panel, click your dataset name → SharingPermissions.
  3. Click Add Principal. Enter the service account email (e.g., actioneer-bigquery-reader@your-project.iam.gserviceaccount.com).
  4. Assign the role BigQuery Data Viewer (roles/bigquery.dataViewer).
  5. Click Save.
Download the JSON key
  1. On the Service Accounts page, click the account you just created.
  2. Go to the Keys tab → Add KeyCreate New Key.
  3. Select JSON and click Create. The key file downloads automatically.
Store this JSON key file securely. It grants read access to your BigQuery data. Do not commit it to version control or share it over unencrypted channels.
PROJECT=YOUR_PROJECT_ID
DATASET=YOUR_DATASET_ID
SA=actioneer-bigquery-reader@$PROJECT.iam.gserviceaccount.com

# Project-level: run query jobs
gcloud projects add-iam-policy-binding $PROJECT \
  --member="serviceAccount:$SA" --role="roles/bigquery.jobUser"

# Dataset-level: read tables (least-privilege)
bq update --dataset \
  --source $PROJECT:$DATASET \
  --set_label="serviceAccount:$SA:roles/bigquery.dataViewer"
For dataset-level IAM via CLI, you can also use bq show --format=prettyjson to export the dataset ACL, add the binding, and bq update to apply it. The Console method in the steps above is simpler for most teams.
3

Connect BigQuery in Actioneer

  1. In Actioneer, click Data in the left sidebar.
  2. Select Google BigQuery from the list of data sources.
  3. When prompted, select Direct Connection.
  4. Complete the connection form:
  Field  Value
  Connection Name  A descriptive label, e.g. Production BigQuery
  GCP Project ID  From Step 1 — case-sensitive
  Dataset ID  From Step 1 — case-sensitive
  Service Account JSON Key  Upload or drop the JSON key file from Step 2
The GCP Project ID you enter must match the project_id inside your service account JSON key. If they differ, the connection will use the project from the JSON key, not the one entered in the form.
  1. Click Connect.

Common questions

No. BigQuery Job User allows running queries but not modifying data. BigQuery Data Viewer is a read-only role scoped to the datasets you authorize. Neither role permits inserting, updating, deleting, or altering tables, datasets, or schemas.
All credentials are encrypted at rest with AES-256 and encrypted in transit with TLS 1.3. They are never stored in plain text or logged. Actioneer is SOC 2 Type II certified, ISO 27001 certified (audited by Schellman), and GDPR compliant.

Need a hand?

Stuck on a step or running into an error? Reach out at connect@actioneer.com.