Set Up a Google BigQuery Data Federation Connection

Set up a connection between Google BigQuery and Data Cloud to access data.

User Permissions Needed
To create a Google BigQuery Data Federation connection in Data Cloud:	Data Cloud Architect

Before you begin:

If you use VPC Service Controls in Google Cloud, ask your GCP org admin to review Data Cloud IP Allowlist and Allow access to protected resources from outside a perimeter, and update your allowlists.
Create a Google Cloud service account with these permissions. For more information, see Create service accounts.
- BigQuery Metadata Viewer
- BigQuery Job User
- BigQuery Data Viewer
- BigQuery Read Session User

In Data Cloud, go to Data Cloud Setup.
Under Configuration, select More Connectors.
Click New.
Under Source, select Google BigQuery and click Next.
Enter a connection name, connection API name.

The connection name must be at least three characters long.

If you want to use key-based authentication, click Private Key Pair and upload the Private Key JSON file or paste its contents in the SSH Private Key field.

If you’re using key-based authentication, skip the next step and continue configuring your BigQuery connection.
If you want to use identity provider–based authentication, click Identity Provider Based.
1. In the Google Cloud Service (GCS) account data warehouse, select IAM & Admin > Workload Identity Federation.
2. In the Workload Identity Pool, click Add provider.
  1. Under details, enter a name for the provider.
  2. For Issuer (URL), enter your org's My Domain URL followed by /services/connectors. For example, https://yourcompany.my.salesforce.com/services/connectors.
  3. Under Audiences, select Allowed Audience and enter your org's MyDomain URL. For example, https://yourcompany.my.salesforce.com.
  4. Under Attribute Mappings, match the audience attribute to OIDC audience (attribute.audi = assertion.aud) and the subject attribute to OIDC subject (google.subject = assertion.sub).
  5. Click Save.
3. To provide audience access to the workload pool that you created, click Grant access and then select Grant access using service account impersonation.
  1. Select your service account email.
  2. Under Select principals, select the audience attribute that you created, and enter your org's MyDomain URL.
  3. Click Save.
4. To provide access to subject, click Grant access and then select Grant access using service account impersonation.
  1. From the Data Cloud connection window, copy the external ID.
  2. In GCS, select your service account.
  3. Under Select principals, select the subject attribute and enter the Data Cloud external ID.
  4. Click Save.
5. Download the config file generated by GCS.
  1. In the Configure your application dialog box, select the provider that you created.
  2. Enter a name for the OIDC token path and click Download config. You can choose any name as it won't be needed in the Data Cloud setup window.
  3. Copy the contents of the downloaded config file and paste it in the OIDC Client Config field in Data Cloud.
Enter the Project ID.
Enter the Service Account email.
To review your configuration, click Test Connection.
Click Save.
To support large data sizes:
- Enable bigquery.tables.create and bigquery.dataset.create permissions in Google BigQuery. You can either attach a predefined role that has these permissions or if there is a custom role attach these permissions to that role. For more information see, BigQuery predefined IAM roles.
- In your Google BigQuery project, create a dataset with the name of sf_temp_dataset with an expiration time of six hours.
- Select the Enable large-resultset flow checkbox on the create or edit connection page to support querying large result sets and to allowlist your org.