BigQuery hero Openlayer integrates with Google BigQuery so you can run data quality tests directly on your BigQuery tables. The integration uses Service Account Impersonation, Google’s recommended way to provide secure, auditable, and keyless access.

Prerequisites

To follow this guide, you need:
  • A GCP project with BigQuery enabled
  • Permissions to create a service account and assign roles in your project
  • An Openlayer project with monitoring mode enabled

Setup Guide

Step 1: Create a service account

Create a dedicated service account in your GCP project for Openlayer to use: 
# Set your project ID
export PROJECT_ID="your-project-id"

# Create the service account
gcloud iam service-accounts create openlayer-bigquery \
  --project=$PROJECT_ID \
  --description="BigQuery access for Openlayer" \
  --display-name="Openlayer BigQuery Access"

Step 2: Grant required roles

Grant the following roles to the new service account:
  • roles/bigquery.jobUser: run queries
  • roles/bigquery.dataViewer: read table data
  • roles/bigquery.metadataViewer: read metadata
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.jobUser"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataViewer"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.metadataViewer"

Step 3: Allow Openlayer to impersonate your service account

Grant Openlayer’s service account permission to impersonate yours: 
gcloud iam service-accounts add-iam-policy-binding \
  openlayer-bigquery@$PROJECT_ID.iam.gserviceaccount.com \
  --member="serviceAccount:impersonator@unbox-ai.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountTokenCreator"
This ensures Openlayer can act as your service account without exchanging keys.

Step 4: Connect inside Openlayer

In your Openlayer workspace:
  1. Go to Data sources and select BigQuery.
  2. Click Connect.
  3. Fill in the fields:
  • Target principal: your service account email (e.g. openlayer-bigquery@your-project-id.iam.gserviceaccount.com)
  • Billing project: your GCP project ID (where query costs are billed)
  • Name: a descriptive label for this connection
Configure BigQuery connection

Step 5: Configure your table

After the connection is created, configure the table you want to monitor:
  • Project: GCP project containing the table
  • Dataset: dataset name
  • Table: table name
  • Data source name: a descriptive name for this table in Openlayer
Configure BigQuery table

Optional: ML-specific settings

If the table contains ML outputs, you can provide additional context:
  • Class names
  • Feature names
  • Categorical feature names
These let Openlayer run model-aware tests, such as drift or performance monitoring.

Troubleshooting

  • Permission errors → confirm the roles above are granted to your service account
  • Impersonation errors → ensure roles/iam.serviceAccountTokenCreator is granted to Openlayer’s service account