Create a Connection to Google BigQuery

You can use Google BigQuery as a data source with Privitar Data Security Platform.

To connect to Google BigQuery, you must:

Meet the Google BigQuery Connection Prerequisites

Before you connect to Google BigQuery, you must:

Have a Google account
Set credentials appropriate for the type of authentication you're using.
See our instructions here: Authenticate to Google BigQuery
See Google's instructions here: https://cloud.google.com/storage/docs/authentication.
Set permissions for your BigQuery and Google Cloud accounts

Build a Google BigQuery Connection String

To build a Google BigQuery connection string, follow the instructions in the Google BigQuery documentation.

The following is an example of a complete Google BigQuery connection string:

jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;ProjectId=privitar-123456;OauthType=3;EnableSession=1;Location=europe-west2;

The following table includes descriptions of some of the important segments.

Note

These descriptions assume that you are using one of the official drivers for BigQuery. Consult the Google BigQuery documentation for more information about drivers.

Table 3. Google BigQuery Connection String

String Segment	Description
`jdbc:bigquery://https://www.googleapis.com/bigquery/v2`	The host name is the URL to Google's BigQuery web services API.
`[443]`	The port number is `443`.
`ProjectId=[name]-[nnnnnn]`	The name of the Google BigQuery project (not a project within the Privitar Data Security Platform), for example `privitar-123456`.
`OauthType=[n]`	Add the number corresponding to the Oauth type. `0`: The connector uses service-based OAuth authentication, such as Service Account Key File. (See "Service Account Key File" under Authenticate to Google BigQuery.) `3`: The connector authenticates using Workload Identity federation. (See "Workload Identity" under Authenticate to Google BigQuery.)
`OAuthPvtKeyPath=[pathToSecretsFile]`	If you are using a service account key file to authenticate, include the path to the secrets file. (See "Service Account Key File" under Authenticate to Google BigQuery.)
`EnableSession=[n]`	Enter `1` for "true" (enable session).
`Location=[location]`	Enter the location for your Google BigQuery container (see https://cloud.google.com/bigquery/docs/locations).

Authenticate to Google BigQuery

Important

Google BigQuery does not support username/password authentication methods. For this reason, leave the Username and Password fields empty on the Connections page.

The Privitar Data Security Platform currently supports the following types of authentication:

Service Account Key File

Pass in a path to a secrets file accessible by data plane services as part of the JDBC connection string. For example:

jdbc:bigquery:<host>;ProjectId=<projectId>;OAuthPvtKeyPath=[pathToSecretsFile];...

Ensure that the secrets file is in JSON format and contains the private key and certificates. For example:

{ 
"type": "service_account", 
"project_id": <PROJECT_ID>, 
"private_key_id": <PRIVATE_KEY_ID>, 
"private_key": <PRIVATE_KEY>, 
"client_email": <EMAIL>, 
"client_id": "101273788015860915068", 
"auth_uri": "https://accounts.google.com/o/oauth2/auth", 
"token_uri": "https://oauth2.googleapis.com/token", 
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 
"client_x509_cert_url": <CERTS_URL>
}

In your JDBC connection string, set up the correct Oauth type in accordance with your configuration. For example, OauthType=0.

Workload Identity

Set up Workload Identity on your GKE cluster, granting access from the data proxy pods to Google BigQuery as described in Google BigQuery documentation.
In your JDBC connection string, set up the correct Oauth type in accordance with your configuration. For example, OauthType=3.

In this section:

User Guide