Provision with Cloud Console
The following setup allows Alvin to access BigQuery metadata and query history, without ever reaching the underlying data. After provisioning it, connect your BigQuery environment at connect.alvin.ai.
1. Create a new service account using Cloud Console
First of all, create a new service account in a host project.
Think of a host project as any project that you use to store config or infrastructure setup. Use an easily recognizable name for the service account that relates to the Alvin setup such as: sa-alvin-bq-reader.
2. Grant metadata access roles to the service account
Go to the IAM page.
Read more about our metadata only access policy in the security section. As a reminder – these roles cannot access your data.
You have to grant metadata roles for ALL projects that you want to connect to Alvin. That means access to all projects that are being used for queries, but also ones that have metadata such as tables and user-defined functions.
If you already have an organization (see here) you can also add the service account at the organization level, which will avoid manual work and give access to all projects in your organization.
If you have a large organization with many projects, this is the recommended flow.
See more about BigQuery access control here.
For each project you wish to connect to Alvin, these roles should be set up for the Service Account:
If you prefer, you may instead use the GCloud CLI to automate this step:
Provision with gcloud CLI3. Whitelist Alvin IP
If your organization restricts BigQuery access to a specific set of IP addresses using VPC Service Controls, Alvin will only access your BigQuery through the following IP, add it to your perimeter allowed IP addresses list: 34.159.141.113
Last updated