Skip to main content
Guide to Connect BigQuery:
  1. Create a dedicated service account for Go Fig to limit permissions and improve security. (Recommended)
  2. Enable BigQuery API and grant required permissions in your Google Cloud project.
  3. Collect the following details:
  • Google Cloud project ID
  • Service account JSON key file
  • BigQuery datasets you want to access
For security, create a dedicated Go Fig service account with read-only BigQuery access:
1

Navigate to Service Accounts

In Google Cloud Console, go to IAM & AdminService Accounts.[SCREENSHOT: Google Cloud Console navigation with IAM & Admin highlighted]
2

Create service account

Click + Create Service Account at the top.[SCREENSHOT: Service Accounts page with “Create Service Account” button]Fill in the details:
  • Service account name: gofig-bigquery
  • Service account ID: [email protected] (auto-generated)
  • Description: “Go Fig BigQuery read access”
[SCREENSHOT: Service account creation form with fields filled]Click Create and Continue.
3

Grant permissions

Add the following roles to the service account:Required Roles:
  • BigQuery Data Viewer: Read access to datasets and tables
  • BigQuery Job User: Permission to run queries
  • BigQuery Read Session User: Enables efficient data reading via BigQuery Storage API
[SCREENSHOT: Role selector showing “BigQuery Data Viewer”, “BigQuery Job User”, and “BigQuery Read Session User” selected]Click Continue, then Done.
4

Generate JSON key

Find your new service account in the list and click on it.[SCREENSHOT: Service accounts list with gofig-bigquery highlighted]Go to the Keys tab and click Add KeyCreate new key.[SCREENSHOT: Keys tab with “Add Key” button]Select JSON format and click Create.[SCREENSHOT: Key type selection with JSON radio button selected]The JSON key file will download to your computer. Save this file securely - it contains credentials.[SCREENSHOT: Browser download notification showing JSON key file]
Why This Matters:
  • Principle of Least Privilege: Go Fig only gets read access, never write
  • Audit Trail: Separate service account makes it easy to track Go Fig queries
  • Cost Control: Monitor Go Fig query costs separately
  • Security: Limits blast radius if credentials are compromised
Save the JSON key file securely. Never commit it to version control or share it publicly.

2) Configure GCP Project Access

Go Fig needs the BigQuery API enabled and appropriate permissions configured:
Enable the BigQuery API in your project:
  1. Go to Google Cloud Console
  2. Select your project
  3. Navigate to APIs & ServicesLibrary
  4. Search for “BigQuery API”
  5. Click Enable
[SCREENSHOT: BigQuery API page with “Enable” button in Google Cloud Console]
Wait 1-2 minutes after enabling for the API to activate.
Restrict access to specific datasets:If you want to limit Go Fig to specific datasets (instead of project-wide access):
  1. In BigQuery Console, select a dataset
  2. Click SharingPermissions
  3. Click Add Principal
  4. Enter your service account email: [email protected]
  5. Select role: BigQuery Data Viewer
  6. Click Save
[SCREENSHOT: BigQuery dataset permissions dialog with service account added]Repeat for each dataset you want Go Fig to access.
Dataset-level permissions provide better security than project-wide access, especially for sensitive data.

3) Connect Go Fig to BigQuery

1

Add BigQuery connection

Navigate to your Organization Data page and click + Add data. Select BigQuery from the list of database connections.[SCREENSHOT: Organization Data page with “Add data” button and BigQuery option in connector list]
2

Upload service account JSON

Fill in your BigQuery connection information:
  • Service Account JSON: Click Choose File and upload the JSON key file you downloaded earlier.
[SCREENSHOT: File upload interface with “Choose File” button]Go Fig will automatically extract:
  • Project ID
  • Service account email
  • Private key (encrypted)
  • Dataset Region (Optional): Specify if you want to limit to specific regions (e.g., us-central1, europe-west1)
[SCREENSHOT: Dataset region dropdown with regions]
Leave region blank to access datasets across all regions in your project.
Verify the JSON file format is correct - should start with {"type": "service_account"...}
3

Connect to BigQuery

Click Connect to BigQuery to complete the setup. Go Fig will verify the connection, encrypt and store your credentials securely.[SCREENSHOT: “Connect to BigQuery” button]

Security Best Practices

Go Fig Security Features

  • Encrypted Credentials: Go Fig encrypts all connection credentials at rest
  • SSL/TLS Encryption: All data in transit uses SSL/TLS encryption
  • Credential Protection: Credentials are never logged or displayed in plain text
  • Role-Based Access Control: COMING SOON - Granular permissions for connection management
Use dedicated service account: Create separate Go Fig service account instead of using personal accounts.
Read-only access: Only grant BigQuery Data Viewer + BigQuery Job User + BigQuery Read Session User roles.
Dataset-level permissions: For sensitive data, use dataset-level permissions instead of project-wide access.
Rotate keys regularly: Rotate service account keys every 90 days and delete old keys.
Monitor query activity: Review Query History in Go Fig to track data access patterns.
Partition filtering: Always filter on partition columns (usually date) to minimize costs.
Select specific columns: Avoid SELECT * - only select columns you need to reduce data processed.
Never use admin credentials: Create a dedicated service account with minimal necessary permissions.