Openlayer integrates with Google BigQuery to enable you to monitor and evaluate data quality directly from your BigQuery datasets. This integration uses Service Account Impersonation for secure, auditable access without sharing persistent credentials.

Why Service Account Impersonation?

Service Account Impersonation provides several key security and operational benefits:
  • No persistent credentials - No service account keys to manage or rotate
  • Least-privilege access - Fine-grained permissions with full audit trail
  • Seamless billing - Jobs run in your GCP project with transparent cost tracking
  • Enhanced security - Eliminates credential exposure risks

Architecture Overview

The integration follows Google Cloud’s recommended security practices:
ComponentDescription
Openlayer Service Accountimpersonator@unbox-ai.iam.gserviceaccount.com
Customer Service AccountCreated in your GCP project (e.g., openlayer-bigquery@your-project.iam.gserviceaccount.com)
Billing ProjectYour GCP project where BigQuery job costs are billed

Setup Guide

Step 1: Create a Service Account

Create a dedicated service account in your GCP project for Openlayer to use: 
# Set your project ID
export PROJECT_ID="your-project-id"

# Create the service account
gcloud iam service-accounts create openlayer-bigquery \
  --project=$PROJECT_ID \
  --description="BigQuery access for Openlayer" \
  --display-name="Openlayer BigQuery Access"

Step 2: Grant Required Permissions

Grant the necessary BigQuery permissions to your service account: 
# Grant BigQuery Job User role (required to run queries)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.jobUser"

# Grant BigQuery Data Viewer role (for reading data)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataViewer"

# Grant BigQuery Data Viewer role (for reading metadata)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.metadataViewer"

Step 3: Enable Service Account Impersonation

Allow Openlayer’s service account to impersonate your service account: 
# Grant the Service Account Token Creator role to Openlayer
gcloud iam service-accounts add-iam-policy-binding \
  openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com \
  --member="serviceAccount:impersonator@unbox-ai.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountTokenCreator"

Step 4: Configure Openlayer

Connect to BigQuery Data Source

In your Openlayer workspace, navigate to the data sources section and select BigQuery as your data source: Select the BigQuery data source and click on Connect.

Configure BigQuery Connection

Fulfill the required connection details: Provide the following information:
  • BigQuery Target Principal: Your service account email (e.g., openlayer-bigquery@your-project-id.iam.gserviceaccount.com)
  • BigQuery Billing Project: Your GCP project ID (where costs will be billed)
  • Name: A descriptive name for this data source connection
Your service account email should follow the format: SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

Configure BigQuery Table

After creating the BigQuery connection, configure the specific table you want to monitor: Specify the table details:
  • BigQuery Project: Write the project name or select it from the dropdown list
  • BigQuery Dataset: Write the dataset name or select it from the dropdown list
  • BigQuery Table: Write the table name you want to monitor
  • Data Source Name: A descriptive name for this data source
If your table contains predictions/results from ML classification, you can configure additional ML-specific options:
  • Class Names: Select the columns that contain class labels or prediction outputs
  • Feature Names: Select the columns that represent input features for your ML model
  • Categorical Feature Names: Select columns that contain categorical data
These ML-specific configurations enable Openlayer to run specialized tests for model performance, data drift, and other ML-focused evaluations.

Troubleshooting

Permission Errors

If you encounter permission errors:
Error: User does not have permission to access BigQuery Solution: Verify that both bigquery.jobUser and bigquery.dataViewer roles are granted to your service account.

Impersonation Failures

If service account impersonation fails:
Error: Failed to impersonate service account Solution: Ensure the iam.serviceAccountTokenCreator role is granted to Openlayer’s service account on your service account.

Support

Need help with your BigQuery integration? Contact our support team or check out our troubleshooting guide.