BigQuery Data Graph Setup
Unify requires a Business tier account and is included with Engage.
See the available plans, or contact Support.
BigQuery for Data Graph is in beta and Segment is actively working on this feature. Some functionality may change before it becomes generally available. This feature is governed by Segment’s First Access and Beta Preview Terms.
Set up your BigQuery data warehouse to Segment for the Data Graph.
Step 1: Roles and permissions
You need to be an account admin to set up the Segment BigQuery connector as well as write permissions for the __segment_reverse_etl
dataset.
To set the roles and permissions:
- Navigate to IAM & Admin > Service Accounts in BigQuery.
- Click + Create Service Account to create a new service account.
- Enter your Service account name and a description of what the account will do.
- Click Create and Continue.
- Click + Add another role and add the BigQuery User role.
- Click Continue, then click Done.
- Search for the service account you just created.
- From your service account, click the three dots under Actions and select Manage keys.
- Navigate to Add Key > Create new key.
- In the pop-up window, select JSON for the key type, and click Create. The file will download.
- Copy all the content in the JSON file you created in the previous step, and save it for Step 5.
Step 2: Grant read-only access for the Data Graph
Grant the BigQuery Data Viewer role to the service account at the project level. Make sure to grant read-only access to the Profiles Sync project in case you have a separate project.
To grant read-only access for the Data Graph:
- Navigate to IAM & Admin > IAM in BigQuery.
- Search for the service account you just created.
- From your service account, click the Edit principals pencil.
- Click ADD ANOTHER ROLE.
- Select the BigQuery Data Viewer role.
- Click Save.
(Optional) Step 3: Restrict read-only access
If you want to restrict access to specific datasets, grant the BigQuery Data Viewer role on datasets to the service account. Make sure to grant read-only access to the Profiles Sync dataset.
To restrict read-only access:
- In the Explorer pane in BigQuery, expand your project and select a dataset.
- Navigate to Sharing > Permissions.
- Click Add Principal.
- Enter your service account in the New principals section.
- Select the BigQuery Data Viewer role in the Select a role section.
- Click Save.
You can also run the following command:
GRANT `roles/bigquery.dataViewer` ON SCHEMA `YOUR_DATASET_NAME` TO "serviceAccount:<YOUR SERVICE ACCOUNT EMAIL>";
Step 4: Validate permissions
- Navigate to IAM & Admin > Service Accounts in BigQuery.
- Search for the service account you’ve just created.
- From your service account, click the three dots under Actions and select Manage permissions.
- Click View Access and click Continue.
- Select a box with List resources within resource(s) matching your query.
- Click Analyze, then click Run query.
Step 5: Connect your warehouse to Segment
- Navigate to Unify > Data Graph in Segment. This should be a Unify space with Profiles Sync already set up.
- Click Connect warehouse.
- Select BigQuery as your warehouse type.
- Enter your warehouse credentials. Segment requires the following settings to connect to your BigQuery warehouse:
- Service Account Credentials: JSON credentials for a GCP Service Account that has BigQuery read/write access. This is the credential created in Step 1.
- Data Location: This specifies the primary data location. This can be either region or multi-region.
- Test your connection, then click Save.
Update user access for Segment Reverse ETL dataset
If you ran Segment Reverse ETL in the project you are configuring as the Segment connection project, a Segment-managed dataset is already created and you need to provide the new Segment user access to the existing dataset.
If you run into an error on the Segment app indicating that the user doesn’t have sufficient privileges on an existing __segment_reverse_etl
dataset, grant the BigQuery Data Editor role on the __segment_reverse_etl
dataset to the service account . Note that the __segment_reverse_etl
dataset is hidden in the console. Run the following SQL command:
GRANT `roles/bigquery.dataEditor` ON SCHEMA `__segment_reverse_etl` TO "serviceAccount:<YOUR SERVICE ACCOUNT EMAIL>";
This page was last modified: 04 Nov 2024
Need support?
Questions? Problems? Need more info? Contact Segment Support for assistance!