Stay organized with collections Save and categorize content based on your preferences.
Create and set up a Cloud resource connectionAs a BigQuery administrator, you can create a Cloud resource connection that enables data analysts to perform the following tasks:
For more information about connections, see Introduction to connections.
Before you beginEnable the BigQuery Connection API.
To get the permissions that you need to create a Cloud Resource connection, ask your administrator to grant you the following IAM roles:
roles/bigquery.connectionAdmin) on the projectroles/storage.objectViewer) on the bucketFor more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
If you want to query structured data using BigLake tables based on Cloud Storage or unstructured data using object tables, then the service account associated with the connection must also have the Storage Viewer (roles/storage.viewer) role on the bucket that contains the external data.gcloud version
If needed, update the Google Cloud SDK.
When you use Cloud Storage to store data files, we recommend that you use Cloud Storage single-region or dual-region buckets for optimal performance, not multi-region buckets.
Create Cloud resource connectionsBigLake uses a connection to access Cloud Storage. You can use this connection with a single table or a group of tables.
You can skip this step if you either have a default connection configured, or you have the BigQuery Admin role.
Create a Cloud resource connection for the remote model to use, and get the connection's service account. Create the connection in the same location as the dataset that you created in the previous step.
Select one of the following options:
ConsoleGo to the BigQuery page.
In the Explorer pane, click add Add data:
The Add data dialog opens.
In the Filter By pane, in the Data Source Type section, select Business Applications.
Alternatively, in the Search for data sources field, you can enter Vertex AI.
In the Featured data sources section, click Vertex AI.
Click the Vertex AI Models: BigQuery Federation solution card.
In the Connection type list, select Vertex AI remote models, remote functions and BigLake (Cloud Resource).
In the Connection ID field, enter a name for your connection.
Click Create connection.
Click Go to connection.
In the Connection info pane, copy the service account ID for use in a later step.
In a command-line environment, create a connection:
bq mk --connection --location=REGION --project_id=PROJECT_ID \
--connection_type=CLOUD_RESOURCE CONNECTION_ID
The --project_id parameter overrides the default project.
Replace the following:
REGION: your connection regionPROJECT_ID: your Google Cloud project IDCONNECTION_ID: an ID for your connectionWhen you create a connection resource, BigQuery creates a unique system service account and associates it with the connection.
Troubleshooting: If you get the following connection error, update the Google Cloud SDK:
Flags parsing error: flag --connection_type=CLOUD_RESOURCE: value should be one of...
Retrieve and copy the service account ID for use in a later step:
bq show --connection PROJECT_ID.REGION.CONNECTION_ID
The output is similar to the following:
name properties
1234.REGION.CONNECTION_ID {"serviceAccountId": "connection-1234-9u56h9@gcp-sa-bigquery-condel.iam.gserviceaccount.com"}
Use the google_bigquery_connection resource.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following example creates a Cloud resource connection named my_cloud_resource_connection in the US region:
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud ShellSet the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Each Terraform configuration file must have its own directory (also called a root module).
.tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created main.tf.
Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
terraform init
Optionally, to use the latest Google provider version, include the -upgrade option:
terraform init -upgrade
terraform plan
Make corrections to the configuration as necessary.
yes at the prompt:
terraform apply
Wait until Terraform displays the "Apply complete!" message.
To create remote functions, you must grant required roles to Cloud Run functions or Cloud Run.
To connect to Cloud Storage, you must give the new connection read-only access to Cloud Storage so that BigQuery can access files on behalf of users.
Select one of the following options:
ConsoleWe recommend that you grant the connection resource service account the Storage Object Viewer IAM role (roles/storage.objectViewer), which lets the service account access Cloud Storage buckets.
Go to the IAM & Admin page.
Click person_add Add.
The Add principals dialog opens.
In the New principals field, enter the service account ID that you copied earlier.
In the Select a role field, select Cloud Storage, and then select Storage Object Viewer.
Click Save.
Use the gcloud storage buckets add-iam-policy-binding command:
gcloud storage buckets add-iam-policy-binding gs://BUCKET \ --member=serviceAccount:MEMBER \ --role=roles/storage.objectViewer
Replace the following:
BUCKET: the name of your storage bucket.MEMBER: the service account ID that you copied earlier.For more information, see Add a principal to a bucket-level policy.
TerraformUse the google_bigquery_connection resource.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following example grants IAM role access to the service account of the Cloud resource connection:
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud ShellSet the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Each Terraform configuration file must have its own directory (also called a root module).
.tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created main.tf.
Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
terraform init
Optionally, to use the latest Google provider version, include the -upgrade option:
terraform init -upgrade
terraform plan
Make corrections to the configuration as necessary.
yes at the prompt:
terraform apply
Wait until Terraform displays the "Apply complete!" message.
You can grant the following roles to let users query data and manage connections:
roles/bigquery.connectionUser: enables users to use connections to connect with external data sources and run queries on them.
roles/bigquery.connectionAdmin: enables users to manage connections.
For more information about IAM roles and permissions in BigQuery, see Predefined roles and permissions.
Select one of the following options:
ConsoleGo to the BigQuery page.
Connections are listed in your project, in a group called External connections.
In the Explorer pane, click your project name > External connections > connection.
In the Details pane, click Share to share a connection. Then do the following:
In the Connection permissions dialog, share the connection with other principals by adding or editing principals.
Click Save.
You cannot share a connection with the bq command-line tool. To share a connection, use the Google Cloud console or the BigQuery Connections API method to share a connection.
APIUse the projects.locations.connections.setIAM method in the BigQuery Connections REST API reference section, and supply an instance of the policy resource.
Before trying this sample, follow the Java setup instructions in the BigQuery quickstart using client libraries. For more information, see the BigQuery Java API reference documentation.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["BigQuery administrators can create Cloud resource connections to enable data analysts to query structured and unstructured data in Cloud Storage, and implement remote functions."],["Creating a Cloud resource connection requires enabling the BigQuery Connection API and obtaining the `BigQuery Connection Admin` and `Storage Object Viewer` IAM roles."],["Cloud resource connections use a unique service account to access Cloud Storage, requiring the service account to be granted the `Storage Object Viewer` role on the relevant buckets."],["Connections can be created through the Google Cloud console, the bq command-line tool, or Terraform, and you must copy the service account ID for subsequent steps in the process."],["Users can be granted `connectionUser` or `connectionAdmin` roles to interact with the connections, allowing them to query or manage connections, respectively, through the BigQuery console or API."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4