This guide will walk you through the process of creating a service key for BigQuery, allowing secure programmatic access to your BigQuery resources.

Video Demonstration

Before we dive into the written instructions, watch this video for a visual walkthrough of the process:

Why Create a Service Key?

A service key for BigQuery provides:
  1. Secure Access: Allows applications to authenticate with BigQuery without using personal credentials.
  2. Controlled Permissions: Enables fine-grained access control to BigQuery resources.
  3. Automation: Facilitates automated processes and CI/CD pipelines interacting with BigQuery.

Prerequisites

Before you begin, ensure you have:
  • A Google Cloud Platform (GCP) account
  • A project set up in GCP

Step-by-Step Guide

Follow these steps to create a service key for BigQuery:

1. Enable the BigQuery API

1

Open Google Cloud Console

Go to https://console.cloud.google.com/
2

Navigate to APIs & Services

In the left navigation menu, click on “APIs & Services” > “Dashboard”
3

Enable BigQuery API

Click ”+ ENABLE APIS AND SERVICES” at the top of the page Search for “BigQuery API” and select it Click “ENABLE” if it’s not already enabled

2. Navigate to the IAM & Admin Console

1

Access IAM & Admin

In the left navigation menu, click on “IAM & Admin” > “Service Accounts”

3. Create a New Service Account

1

Click 'Create Service Account'

At the top of the page, click the “Create Service Account” button
2

Enter Service Account Details

  • Service account name: Choose a descriptive name (e.g., “bigquery-admin”) - Service account ID: This will auto-generate, but you can customize it - Description: Optional, but recommended for clarity
3

Click 'Create and Continue'

This will create the service account

4. Assign Roles to the Service Account

1

Select Roles

Choose the BigQuery Admin role for full access
2

Click 'Continue'

After selecting roles, click “Continue”
3

Grant User Access (Optional)

You can grant users access to this service account if needed
4

Click 'Done'

This completes the service account creation
The BigQuery Admin role provides full control over BigQuery resources, including creating, updating, and deleting datasets, tables, and jobs. It’s recommended for administrative access, but you can choose more restrictive roles based on your specific needs. Other roles include:
  • BigQuery Data Viewer: Read-only access to data
  • BigQuery User: Ability to run queries and jobs
  • BigQuery Job User: Ability to create and manage jobs
Choose the role that best fits your use case and follows the principle of least privilege.

5. Create and Download the Key

1

Find Your Service Account

In the Service Accounts list, find the account you just created
2

Access Key Management

Click on the three dots in the “Actions” column and select “Manage keys”
3

Add Key

Click “Add Key” and choose “Create new key”
4

Select Key Type

Choose “JSON” as the key type and click “Create”
5

Save the Key

The key file will automatically download. Keep this file secure!
The JSON key file contains sensitive information. Never commit it to version control or share it publicly.

Best Practices

  • Rotate your service account keys regularly
  • Use the principle of least privilege when assigning roles
  • Monitor and audit the usage of service accounts
For more detailed information on BigQuery security and best practices, refer to the official Google Cloud documentation.
By following this guide and watching the video demonstration, you’ve learned how to create a service key for BigQuery. Remember to keep your key secure and follow best practices for key management.