Provision with Cloud Console
The following setup allows Alvin to access BigQuery metadata and query history, without ever reaching the underlying data. After provisioning it, connect your BigQuery environment at connect.alvin.ai.
1. Create a new service account using Cloud Console
First, create a new service account in a host project. In order for our systems to detect it, you must use a name that starts with alvin-agent, e.g. alvin-agent@[my-project-id].iam.gserviceaccount.com.
2. Grant metadata access roles to the service account
Go to the IAM page.
You have to grant metadata roles for ALL projects that you want to connect to Alvin. This includes:
projects that are being used to run queries
projects that store metadata such as tables and user-defined functions
projects that hold reservations used by your queries
If you have an organization (see here) you can also add the service account at the organization level, which will reduce manual work and give access to all projects in your organization. If you have a large organization with many projects, this is the recommended flow.
For each project you wish to connect to Alvin, the roles "BigQuery Metadata Viewer" and "BigQuery Resource Viewer" should be set up for the Service Account:
If you prefer, you may instead use the GCloud CLI to automate this step:
Provision with gcloud CLI3. Whitelist Alvin IP
If your organization restricts BigQuery access to a specific set of IP addresses using VPC Service Controls, Alvin will only access your BigQuery through the following IP, add it to your perimeter allowed IP addresses list: 34.159.141.113
4. Submit service account credentials
After provisioning the service account, follow the steps on https://connect.alvin.ai to securely submit your credentials to Alvin.
Last updated