11 KiB
| title | slug |
|---|---|
| Run the BigQuery Connector Externally | /connectors/database/bigquery/yaml |
{% connectorDetailsHeader name="BigQuery" stage="PROD" platform="OpenMetadata" availableFeatures=["Metadata", "Query Usage", "Lineage", "Column-level Lineage", "Data Profiler", "Data Quality", "dbt", "Tags", "Stored Procedures"] unavailableFeatures=["Owners"] / %}
In this section, we provide guides and references to use the BigQuery connector.
Configure and schedule BigQuery metadata and profiler workflows from the OpenMetadata UI:
{% partial file="/v1.4/connectors/external-ingestion-deployment.md" /%}
Requirements
Python Requirements
{% partial file="/v1.4/connectors/python-requirements.md" /%}
To run the BigQuery ingestion, you will need to install:
pip3 install "openmetadata-ingestion[bigquery]"
GCP Permissions
To execute metadata extraction and usage workflow successfully the user or the service account should have enough access to fetch required data. Following table describes the minimum required permissions
{% multiTablesWrapper %}
| # | GCP Permission | Required For |
|---|---|---|
| 1 | bigquery.datasets.get | Metadata Ingestion |
| 2 | bigquery.tables.get | Metadata Ingestion |
| 3 | bigquery.tables.getData | Metadata Ingestion |
| 4 | bigquery.tables.list | Metadata Ingestion |
| 5 | resourcemanager.projects.get | Metadata Ingestion |
| 6 | bigquery.jobs.create | Metadata Ingestion |
| 7 | bigquery.jobs.listAll | Metadata Ingestion |
| 8 | bigquery.routines.get | Stored Procedure |
| 9 | bigquery.routines.list | Stored Procedure |
| 10 | datacatalog.taxonomies.get | Fetch Policy Tags |
| 11 | datacatalog.taxonomies.list | Fetch Policy Tags |
| 12 | bigquery.readsessions.create | Bigquery Usage & Lineage Workflow |
| 13 | bigquery.readsessions.getData | Bigquery Usage & Lineage Workflow |
{% /multiTablesWrapper %}
{% note %}
If the user has External Tables, please attach relevant permissions needed for external tables, alongwith the above list of permissions.
{% /note %}
{% tilesContainer %} {% tile icon="manage_accounts" title="Create Custom GCP Role" description="Checkout this documentation on how to create a custom role and assign it to the service account." link="/connectors/database/bigquery/create-credentials" / %} {% /tilesContainer %}
Metadata Ingestion
1. Define the YAML Config
This is a sample config for BigQuery:
{% codePreview %}
{% codeInfoContainer %}
Source Configuration - Service Connection
{% codeInfo srNumber=1 %}
hostPort: BigQuery APIs URL. By default the API URL is bigquery.googleapis.com you can modify this if you have custom implementation of BigQuery.
credentials:
You can authenticate with your bigquery instance using either GCP Credentials Path where you can specify the file path of the service account key or you can pass the values directly by choosing the GCP Credentials Values from the service account key file.
You can checkout this documentation on how to create the service account keys and download it.
gcpConfig:
1. Passing the raw credential values provided by BigQuery. This requires us to provide the following information, all provided by BigQuery:
- type: Credentials Type is the type of the account, for a service account the value of this field is
service_account. To fetch this key, look for the value associated with thetypekey in the service account key file. - projectId: A project ID is a unique string used to differentiate your project from all others in Google Cloud. To fetch this key, look for the value associated with the
project_idkey in the service account key file. You can also pass multiple project id to ingest metadata from different BigQuery projects into one service. - privateKeyId: This is a unique identifier for the private key associated with the service account. To fetch this key, look for the value associated with the
private_key_idkey in the service account file. - privateKey: This is the private key associated with the service account that is used to authenticate and authorize access to BigQuery. To fetch this key, look for the value associated with the
private_keykey in the service account file. - clientEmail: This is the email address associated with the service account. To fetch this key, look for the value associated with the
client_emailkey in the service account key file. - clientId: This is a unique identifier for the service account. To fetch this key, look for the value associated with the
client_idkey in the service account key file. - authUri: This is the URI for the authorization server. To fetch this key, look for the value associated with the
auth_urikey in the service account key file. The default value to Auth URI is https://accounts.google.com/o/oauth2/auth. - tokenUri: The Google Cloud Token URI is a specific endpoint used to obtain an OAuth 2.0 access token from the Google Cloud IAM service. This token allows you to authenticate and access various Google Cloud resources and APIs that require authorization. To fetch this key, look for the value associated with the
token_urikey in the service account credentials file. Default Value to Token URI is https://oauth2.googleapis.com/token. - authProviderX509CertUrl: This is the URL of the certificate that verifies the authenticity of the authorization server. To fetch this key, look for the value associated with the
auth_provider_x509_cert_urlkey in the service account key file. The Default value for Auth Provider X509Cert URL is https://www.googleapis.com/oauth2/v1/certs - clientX509CertUrl: This is the URL of the certificate that verifies the authenticity of the service account. To fetch this key, look for the value associated with the
client_x509_cert_urlkey in the service account key file.
2. Passing a local file path that contains the credentials:
- gcpCredentialsPath
Taxonomy Project ID (Optional): Bigquery uses taxonomies to create hierarchical groups of policy tags. To apply access controls to BigQuery columns, tag the columns with policy tags. Learn more about how yo can create policy tags and set up column-level access control here
If you have attached policy tags to the columns of table available in Bigquery, then OpenMetadata will fetch those tags and attach it to the respective columns.
In this field you need to specify the id of project in which the taxonomy was created.
Taxonomy Location (Optional): Bigquery uses taxonomies to create hierarchical groups of policy tags. To apply access controls to BigQuery columns, tag the columns with policy tags. Learn more about how yo can create policy tags and set up column-level access control here
If you have attached policy tags to the columns of table available in Bigquery, then OpenMetadata will fetch those tags and attach it to the respective columns.
In this field you need to specify the location/region in which the taxonomy was created.
Usage Location (Optional):
Location used to query INFORMATION_SCHEMA.JOBS_BY_PROJECT to fetch usage data. You can pass multi-regions, such as us or eu, or your specific region such as us-east1. Australia and Asia multi-regions are not yet supported.
- If you prefer to pass the credentials file, you can do so as follows:
credentials:
gcpConfig: <path to file>
- If you want to use ADC authentication for BigQuery you can just leave the GCP credentials empty. This is why they are not marked as required.
...
config:
type: BigQuery
credentials:
gcpConfig: {}
...
{% /codeInfo %}
{% partial file="/v1.4/connectors/yaml/database/source-config-def.md" /%}
{% partial file="/v1.4/connectors/yaml/ingestion-sink-def.md" /%}
{% partial file="/v1.4/connectors/yaml/workflow-config-def.md" /%}
Advanced Configuration
{% codeInfo srNumber=2 %}
Connection Options (Optional): Enter the details for any additional connection options that can be sent to database during the connection. These details must be added as Key-Value pairs.
{% /codeInfo %}
{% codeInfo srNumber=3 %}
Connection Arguments (Optional): Enter the details for any additional connection arguments such as security or protocol configs that can be sent to database during the connection. These details must be added as Key-Value pairs.
- In case you are using Single-Sign-On (SSO) for authentication, add the
authenticatordetails in the Connection Arguments as a Key-Value pair as follows:"authenticator" : "sso_login_url"
{% /codeInfo %}
{% /codeInfoContainer %}
{% codeBlock fileName="filename.yaml" %}
source:
type: bigquery
serviceName: "<service name>"
serviceConnection:
config:
type: BigQuery
credentials:
gcpConfig:
type: service_account
projectId: project-id # ["project-id-1", "project-id-2"]
privateKeyId: abc123
privateKey: |
-----BEGIN PRIVATE KEY-----
Super secret key
-----END PRIVATE KEY-----
clientEmail: role@project.iam.gserviceaccount.com
clientId: 1234
# authUri: https://accounts.google.com/o/oauth2/auth (default)
# tokenUri: https://oauth2.googleapis.com/token (default)
# authProviderX509CertUrl: https://www.googleapis.com/oauth2/v1/certs (default)
clientX509CertUrl: https://www.googleapis.com/robot/v1/metadata/x509/role%40project.iam.gserviceaccount.com
# taxonomyLocation: us
# taxonomyProjectID: ["project-id-1", "project-id-2"]
# usageLocation: us
# connectionOptions:
# key: value
# connectionArguments:
# key: value
{% partial file="/v1.4/connectors/yaml/database/source-config.md" /%}
{% partial file="/v1.4/connectors/yaml/ingestion-sink.md" /%}
{% partial file="/v1.4/connectors/yaml/workflow-config.md" /%}
{% /codeBlock %}
{% /codePreview %}
{% partial file="/v1.4/connectors/yaml/ingestion-cli.md" /%}
{% partial file="/v1.4/connectors/yaml/query-usage.md" variables={connector: "bigquery"} /%}
{% partial file="/v1.4/connectors/yaml/lineage.md" variables={connector: "bigquery"} /%}
{% partial file="/v1.4/connectors/yaml/data-profiler.md" variables={connector: "bigquery"} /%}
{% partial file="/v1.4/connectors/yaml/data-quality.md" /%}
dbt Integration
You can learn more about how to ingest dbt models' definitions and their lineage here.