Skip to main content

Set up BigQuery Lens

Before you begin

BigQuery Lens needs specific permissions at the organization level. See BigQuery Lens permissions for details.

Set up BigQuery Lens

To set up BigQuery Lens:

  1. Connect your Google Cloud Organization to the DoiT platform. Make sure to allow service account impersonation when configuring identities for DoiT workloads.

  2. Update your service account to grant the permissions required by BigQuery Lens. If you have workloads on BigQuery editions, also grant the permissions for BigQuery Lens Editions.

    BigQuery Lens Insights permissions allow DoiT Insights to generate actionable recommendations about your BigQuery usage. They do not directly relate to the BigQuery Lens setup and can be enabled later.

    Note

    In the current implementation, BigQuery Lens works with a single service account. If you grant permissions to multiple service accounts, BigQuery Lens works only for the first one.

Once set up, the BigQuery Lens will backfill historical data for the last 30 days and start gathering information about your Google Cloud BigQuery usage patterns. It can take up to 24 hours to fully populate the BigQuery Lens dashboard with statistics and recommendations.

VPC Service Controls

If you deploy VPC Service Controls in your environment, you need to configure it at organization level to allow context-aware access from the BigQuery Lens:

  1. Create an access policy.

    1. In the Google Cloud console, navigate to Access Context Manager. If prompted, select your organization.

    2. Create a basic access level with the following settings:

      1. In the Access level title field, enter DoiT Console Access.

      2. Select Basic mode.

      3. For the When condition is met, return option, select TRUE.

      4. In the Conditions section, select Add attribute, IP Subnetworks, and then in the IP Subnetworks box, select Private IP.

      5. Choose Select VPC networks, in the Import options list, select Manually enter VPC network address, and then enter //compute.googleapis.com/projects/me-doit-intl-com/global/networks/doit-vpc-ca4b552.

      6. Save the configuration.

  2. Create a service perimeter to allow access to the following APIs:

    • BigQuery Reservation API
    • BigQuery API
    • BigQuery Data Policy API
    • BigQuery Data Transfer API
    • BigQuery Migration API
    • Cloud Logging API

  3. In the Access level pane, add the DoiT Console Access access policy created in step 1.

  4. In the Ingress policy pane, add a new rule for the log sink writer identity:

    1. FROM: Select Identities & groups, and then select the identity of the org log sink writer (update the ORG_ID): [email protected].

    2. TO: Select Projects, and then select the project of your DoiT console serice account (aeo-ipt-svc-accounts).

    3. For the Selected service BigQuery API, select all methods.

Last updated on