BigQuery Data Graph Setup

Set up your BigQuery data warehouse to Segment for the Data Graph.

Step 1: Roles and permissions

To set the roles and permissions:

1. Navigate to IAM & Admin > Service Accounts in BigQuery.
2. Click + Create Service Account to create a new service account.
3. Enter your Service account name and a description of what the account will do.
4. Click Create and Continue.
5. Click + Add another role and add the BigQuery User role.
6. Click Continue, then click Done.
7. Search for the service account you just created.
8. From your service account, click the three dots under Actions and select Manage keys.
9. Navigate to Add Key > Create new key.
10. In the pop-up window, select JSON for the key type, and click Create. The file will download.
11. Copy all the content in the JSON file you created in the previous step, and save it for Step 5.

Step 2: Grant read-only access for the Data Graph

Grant the BigQuery Data Viewer role to the service account at the project level. Make sure to grant read-only access to the Profiles Sync project in case you have a separate project.

To grant read-only access for the Data Graph:

1. Navigate to IAM & Admin > IAM in BigQuery.
2. Search for the service account you just created.
3. From your service account, click the Edit principals pencil.
4. Click ADD ANOTHER ROLE.
5. Select the BigQuery Data Viewer role.
6. Click Save.

(Optional) Step 3: Restrict read-only access

If you want to restrict access to specific datasets, grant the BigQuery Data Viewer role on datasets to the service account. Make sure to grant read-only access to the Profiles Sync dataset.

To restrict read-only access:

1. In the Explorer pane in BigQuery, expand your project and select a dataset.
2. Navigate to Sharing > Permissions.
3. Click Add Principal.
4. Enter your service account in the New principals section.
5. Select the BigQuery Data Viewer role in the Select a role section.
6. Click Save.

You can also run the following command:

GRANT `roles/bigquery.dataViewer` ON SCHEMA `YOUR_DATASET_NAME` TO "serviceAccount:<YOUR SERVICE ACCOUNT EMAIL>";

Step 4: Validate permissions

1. Navigate to IAM & Admin > Service Accounts in BigQuery.
2. Search for the service account you’ve just created.
3. From your service account, click the three dots under Actions and select Manage permissions.
4. Click View Access and click Continue.
5. Select a box with List resources within resource(s) matching your query.
6. Click Analyze, then click Run query.

Step 5: Connect your warehouse to Segment

1. Navigate to Unify > Data Graph in Segment. This should be a Unify space with Profiles Sync already set up.
2. Click Connect warehouse.
3. Select BigQuery as your warehouse type.
4. Enter your warehouse credentials. Segment requires the following settings to connect to your BigQuery warehouse:
   • Service Account Credentials: JSON credentials for a GCP Service Account that has BigQuery read/write access. This is the credential created in Step 1.
   • Data Location: This specifies the primary data location. This can be either region or multi-region.
5. Test your connection, then click Save.

Update user access for Segment Reverse ETL dataset

If you ran Segment Reverse ETL in the project you are configuring as the Segment connection project, a Segment-managed dataset is already created and you need to provide the new Segment user access to the existing dataset.

If you run into an error on the Segment app indicating that the user doesn’t have sufficient privileges on an existing __segment_reverse_etl dataset, grant the BigQuery Data Editor role on the __segment_reverse_etl dataset to the service account . Note that the __segment_reverse_etl dataset is hidden in the console. Run the following SQL command:

GRANT `roles/bigquery.dataEditor` ON SCHEMA `__segment_reverse_etl` TO "serviceAccount:<YOUR SERVICE ACCOUNT EMAIL>";