Grant BigQuery Access to Vendo
This guide walks you through granting Vendo access to your BigQuery project using the managed service account method (recommended). No JSON keys to download or manage.
Step 1: Open Google Cloud Console
- Go to Google Cloud Console
- Select the project where your BigQuery data lives (or where you want Vendo to create datasets)
Step 2: Enable BigQuery API
If not already enabled:
- Navigate to APIs & Services > Enabled APIs & Services
- If BigQuery is not listed, click + Enable APIs and Services
- Search for and enable:
- BigQuery API
- BigQuery Storage API
Step 3: Grant Access to Vendo’s Service Account
- Navigate to IAM & Admin > IAM
- Click Grant Access at the top of the page
- In the New principals field, paste the following service account email:
vendo-connect@gam-dwh.iam.gserviceaccount.com-
Click Select a role and add these three roles:
- BigQuery Data Viewer (
roles/bigquery.dataViewer) — read access to tables and datasets - BigQuery Data Editor (
roles/bigquery.dataEditor) — create and update datasets and tables - BigQuery Job User (
roles/bigquery.jobUser) — run queries and load jobs
- BigQuery Data Viewer (
-
Click Save
Step 4: Verify
Return to the IAM page and confirm vendo-connect@gam-dwh.iam.gserviceaccount.com appears in the members list with the three roles assigned.
Alternative: Using gcloud CLI
If you prefer the command line:
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:vendo-connect@gam-dwh.iam.gserviceaccount.com" \
--role="roles/bigquery.dataViewer"
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:vendo-connect@gam-dwh.iam.gserviceaccount.com" \
--role="roles/bigquery.dataEditor"
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:vendo-connect@gam-dwh.iam.gserviceaccount.com" \
--role="roles/bigquery.jobUser"Replace YOUR_PROJECT_ID with your GCP project ID.
Why These Roles?
| Role | Purpose |
|---|---|
| Data Viewer | Read existing tables and datasets — needed for data discovery and validation |
| Data Editor | Create datasets and tables, insert and update data — needed for data imports |
| Job User | Run BigQuery queries and load jobs — needed for data processing and transforms |
FAQ
Is my data secure?
Yes. Vendo’s service account can only access BigQuery in the specific project you grant it access to. It cannot access other GCP services, other projects, or any data outside BigQuery. You can revoke access at any time by removing the service account from your IAM settings.
Can I use my own service account instead?
Yes. In the Vendo app, choose Bring Your Own Service Account when connecting BigQuery. You’ll create your own service account with the same roles and upload the JSON key. See BigQuery Setup for details.
What if I need to restrict access to specific datasets?
You can grant roles at the dataset level instead of the project level. In BigQuery Console, open the dataset, click Sharing > Permissions, and add the service account with the Data Editor role there.