Connecting to Google BigQuery
Kyomi supports three authentication methods for BigQuery. Choose the one that best fits your organization's security requirements.
Which authentication method should I use?
| Method | Best For | Setup Complexity |
|---|---|---|
| Kyomi OAuth | Individuals, small teams | Easy - just click "Connect with Google" |
| Service Account | Shared team access, automation | Medium - create key in GCP Console |
| Enterprise OAuth | Organizations with Google Workspace | Advanced - configure OAuth consent screen |
Method 1: Kyomi OAuth
The simplest way to connect - sign in with your Google account and authorize Kyomi to access BigQuery.
Setup Steps
- In the datasource modal, select BigQuery as the datasource type
- Choose Kyomi OAuth as the authentication method (this is the default)
- Click Connect with Google
- Sign in with your Google account and grant the requested permissions
- Select your Billing Project (the GCP project that will be charged for queries)
- Optionally select a Default Project for queries
- Click Save
Note
Your Google account must have the necessary BigQuery permissions (e.g., bigquery.jobs.create, bigquery.tables.getData) in the projects you want to query.
Method 2: Service Account
Use a service account for shared, credential-based access. All workspace users will use the same service account.
Prerequisites
- Access to the Google Cloud Console
- Permission to create service accounts in your GCP project
Step 1: Create a Service Account
- Go to IAM & Admin → Service Accounts
- Click Create Service Account
- Enter a name (e.g., "kyomi-bigquery-access")
- Click Create and Continue
- Grant the following roles:
BigQuery Data Viewer- to read table dataBigQuery Job User- to run queriesBigQuery Metadata Viewer- to browse schemas (optional but recommended)
- Click Done
Step 2: Create a Key
- Click on the service account you just created
- Go to the Keys tab
- Click Add Key → Create new key
- Select JSON format
- Click Create - the key file will download automatically
Security
Keep this JSON file secure. Anyone with this file has access to your BigQuery data. The key is encrypted at rest when stored in Kyomi.
Step 3: Configure in Kyomi
- In the datasource modal, select BigQuery as the datasource type
- Choose Service Account as the authentication method
- Upload the JSON key file or paste its contents
- Click Validate & Discover Projects to verify credentials and load available projects
- Select your Billing Project and Default Project
- Click Save
Method 3: Enterprise OAuth
Configure your own OAuth client for branded consent screens and per-user audit trails. This method requires Google Cloud Console access and is typically set up by IT administrators.
Prerequisites
- Google Cloud project with BigQuery API enabled
- Permission to configure OAuth consent screens and create OAuth clients
- Domain ownership for production OAuth apps (or use internal-only apps for Google Workspace)
Step 1: Configure OAuth Consent Screen
- Go to APIs & Services → OAuth consent screen
- Select Internal (for Google Workspace organizations) or External
- Fill in your app information:
- App name: Your company name or "Kyomi Analytics"
- User support email: Your IT support email
- Authorized domains: Add your company domain
- Add scopes:
https://www.googleapis.com/auth/bigqueryhttps://www.googleapis.com/auth/cloud-platform.read-only(for project listing)
- Complete the consent screen setup
Step 2: Create OAuth Client
- Go to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Select Web application
- Add authorized redirect URI:
https://app.kyomi.ai/auth/oauth/bigquery-enterprise/callback
- Click Create and copy the Client ID and Client Secret
Step 3: Configure in Kyomi
- In the datasource modal, select BigQuery as the datasource type
- Choose Enterprise OAuth as the authentication method
- Enter the Client ID and Client Secret
- Save the connection settings
- Each user will need to click Connect with Google to authenticate
Troubleshooting
"Access Denied" or "Permission Denied" errors
- Verify your account has the required BigQuery roles in the GCP project
- For service accounts, ensure the roles are granted at the project level
- Check that the BigQuery API is enabled in your GCP project
OAuth consent screen shows "unverified app" warning
- For internal apps: Use the "Internal" user type in OAuth consent screen settings
- For external apps: Submit your app for Google verification, or users can click "Advanced" → "Go to [app]"
Can't see all projects in the dropdown
- Your account needs
resourcemanager.projects.getpermission on the projects - Try typing the project ID directly if you know it