Configure the Google BigQuery data source
This document explains how to configure the Google BigQuery data source in Grafana.
Before you begin
Before configuring the data source, ensure you have:
- Grafana version: 11.6.0 or later (plugin version 3.x). For older Grafana versions, use plugin version 2.x (requires Grafana 10.4.8+) or 1.x.
- Grafana permissions:
Organization administratorrole to add data sources. - Google Cloud APIs enabled: The following APIs must be enabled in your GCP project:
- Google Cloud credentials: Depending on your authentication method, you need either a service account key file or access to the Google Metadata Server.
Note
Each data source instance connects to a single GCP project. To visualize data from multiple GCP projects, create one data source per project.
Add the data source
To add the Google BigQuery data source:
- Click Connections in the left-side menu.
- Click Add new connection.
- Type
BigQueryin the search bar. - Select Google BigQuery.
- Click Add new data source.
Configure settings
Authentication
Google BigQuery data source supports multiple authentication methods. Choose the method that best fits your deployment environment.
Google Service Account key
Use this method when running Grafana outside of Google Cloud Platform, or when you need explicit credentials.
To configure service account authentication:
- Create a Google Cloud Platform (GCP) Service Account.
- Assign the following roles to the service account:
- BigQuery Data Viewer - Provides read access to BigQuery data
- BigQuery Job User - Allows running BigQuery jobs
- Create and download a JSON key file for the service account.
- In the data source configuration, select Google Service Account Key as the authentication type.
- Upload the JSON key file or paste its contents.
Google Metadata Server
Use this method when running Grafana on a Google Compute Engine (GCE) virtual machine.
When Grafana runs on a GCE virtual machine, it can automatically retrieve the default project ID and authentication token from the metadata server. To use this method:
- Ensure your virtual machine has a service account configured as the default account.
- Assign the service account the BigQuery Data Viewer and BigQuery Job User roles.
- In the data source configuration, select Google Metadata Server as the authentication type.
Service account impersonation
Use service account impersonation when you need to delegate access to BigQuery without distributing service account keys.
To configure service account impersonation:
- Ensure the service account used by the plugin has the
iam.serviceAccounts.getAccessTokenpermission. This permission is included in the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator). - Ensure the service account being impersonated has the following roles:
- BigQuery Data Viewer
- BigQuery Job User
- In the data source configuration, enable Service Account Impersonation.
- Enter the email address of the service account to impersonate.
Forward OAuth Identity
Use Forward OAuth Identity when you want to use Grafana’s Google OAuth authentication with BigQuery.
To configure Forward OAuth Identity:
- Configure Google OAuth authentication in Grafana.
- Add the following scopes to the OAuth application:
https://www.googleapis.com/auth/bigquery(required)https://www.googleapis.com/auth/drive(optional, for querying Google Sheets data)
- In the data source configuration, select Forward OAuth Identity as the authentication type.
- Enter the Default project where queries run.
Note
Some Grafana features don’t function as expected with Forward OAuth Identity, including alerting. Grafana backend features require credentials to always be in scope, which isn’t the case with this authentication method.
Additional settings
Expand the Additional Settings section to configure optional settings.
Verify the connection
Click Save & test to verify the connection. A successful test displays the message “Data source is working”. If you encounter errors, refer to Troubleshooting.
Provision the data source
You can define the data source in YAML files as part of the Grafana provisioning system. For more information, refer to Provisioning Grafana data sources.
Service account key with private key in secure JSON
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>
tokenUri: https://oauth2.googleapis.com/token
secureJsonData:
privateKey: <PRIVATE_KEY>Service account key with private key path
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>
tokenUri: https://oauth2.googleapis.com/token
privateKeyPath: '/etc/secrets/bigquery.pem'Google Metadata Server
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: gceGoogle Metadata Server with service account impersonation
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: gce
usingImpersonation: true
serviceAccountToImpersonate: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>Forward OAuth Identity
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: forwardOAuthIdentity
defaultProject: <DEFAULT_PROJECT_ID>
oauthPassThru: trueWith additional settings
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>
tokenUri: https://oauth2.googleapis.com/token
processingLocation: US
MaxBytesBilled: 5242880
serviceEndpoint: https://bigquery.googleapis.com/bigquery/v2/
secureJsonData:
privateKey: <PRIVATE_KEY>Provisioning configuration reference
Provision with Terraform
You can provision the data source using the Grafana Terraform provider.
Service account key
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "jwt"
clientEmail = "<SERVICE_ACCOUNT_EMAIL>"
defaultProject = "<DEFAULT_PROJECT_ID>"
tokenUri = "https://oauth2.googleapis.com/token"
})
secure_json_data_encoded = jsonencode({
privateKey = file("path/to/service-account-key.pem")
})
}Google Metadata Server
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "gce"
})
}With service account impersonation
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "gce"
usingImpersonation = true
serviceAccountToImpersonate = "<SERVICE_ACCOUNT_EMAIL>"
defaultProject = "<DEFAULT_PROJECT_ID>"
})
}With additional settings
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "jwt"
clientEmail = "<SERVICE_ACCOUNT_EMAIL>"
defaultProject = "<DEFAULT_PROJECT_ID>"
tokenUri = "https://oauth2.googleapis.com/token"
processingLocation = "US"
MaxBytesBilled = 5242880
serviceEndpoint = "https://bigquery.googleapis.com/bigquery/v2/"
})
secure_json_data_encoded = jsonencode({
privateKey = var.bigquery_private_key
})
}For more information, refer to the Grafana Terraform provider documentation.
Import queries from DoiT International BigQuery plugin
If you previously used the DoiT International BigQuery community plugin, you can import your existing queries into the Grafana BigQuery data source.
To import queries:
- Open the dashboard containing queries from the DoiT International plugin.
- Edit each panel and change the data source to Grafana BigQuery.
- Save the dashboard.
Note
Imported queries are converted to raw SQL queries.
