Grant Yuki Access to Your BigQuery Account
This guide enables Yuki to securely access your BigQuery organization through a dedicated service account for metadata analysis and optimization.
1. Create Service Account
A script checks for and creates a yuki-sa service account in your specified project.
if ! gcloud iam service-accounts list \
--project "<PROJECT_NAME>" \
--format="value(email)" \
| grep -q "^yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com$"; then
gcloud iam service-accounts create "yuki-sa" \
--project "<PROJECT_NAME>" \
--display-name "Yuki BigQuery access (org-level)"
else
echo "Service account yuki-sa already exists, skipping creation."
fi
2. Grant Organization-Level Permissions
The service account receives the following roles:
| Role | Purpose |
|---|---|
bigquery.metadataViewer | View metadata across the organization |
bigquery.jobUser | Access query history |
resourcemanager.organizationViewer | List projects |
iam.serviceAccountViewer | View service accounts |
resourcemanager.projectCreator | Create projects |
bigquery.resourceEditor | Manage BigQuery resources |
gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
--member "serviceAccount:yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--role roles/bigquery.metadataViewer
gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
--member "serviceAccount:yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--role roles/bigquery.jobUser
gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
--member "serviceAccount:yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--role roles/resourcemanager.organizationViewer
gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
--member "serviceAccount:yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--role roles/iam.serviceAccountViewer
gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
--member "serviceAccount:yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--role roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
--member "serviceAccount:yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--role roles/bigquery.resourceEditor
3. Enable Required APIs
Enable the Cloud Resource Manager API in the project hosting the Yuki service account.
gcloud services enable cloudresourcemanager.googleapis.com \
--project <PROJECT_NAME>
4. Generate Service Account Key
A JSON key file (yuki-sa-key.json) is created for authentication and uploaded to Yuki's onboarding interface.
gcloud iam service-accounts keys create "yuki-sa-key.json" \
--iam-account "yuki-sa@<PROJECT_NAME>.iam.gserviceaccount.com" \
--project "<PROJECT_NAME>"
echo "Service account key saved to: yuki-sa-key.json"
Download the key from Cloud Shell:
cloudshell download ~/sa@SDCXCS.iam.gserviceaccount.com-key.json
5. Connect Billing Account
Link a billing account to the Yuki-managed project and:
- Grant the
serviceusage.serviceUsageAdminrole - Enable the BigQuery and BigQuery Reservation APIs
gcloud projects add-iam-policy-binding <YUKI_PROJECT_ID> \
--member="serviceAccount:yuki-sa@<YUKI_HOSTING_PROJECT>.iam.gserviceaccount.com" \
--role="roles/serviceusage.serviceUsageAdmin"
gcloud services enable bigquery.googleapis.com \
--project=<YUKI_PROJECT_ID>
gcloud services enable bigqueryreservation.googleapis.com \
--project=<YUKI_PROJECT_ID>
Outcome
Upon completion, Yuki operates with:
- Dedicated credentials
- Organization-wide discovery capabilities
- A dedicated project and reservation for optimized query routing
- A fully hosted proxy
Next Step
Proceed to Enable Optimization for Projects.