Configure the Google BigQuery data source
This document explains how to configure the Google BigQuery data source in Grafana.
Before you begin
Before configuring the data source, ensure you have:
- Grafana version: 11.6.0 or later (plugin version 3.x). For older Grafana versions, use plugin version 2.x (requires Grafana 10.4.8+) or 1.x.
- Grafana permissions:
Organization administratorrole to add data sources. - Google Cloud APIs enabled: The following APIs must be enabled in your GCP project:
- Google Cloud credentials: Depending on your authentication method, you need either a service account key file or access to the Google Metadata Server.
Note
Each data source instance connects to a single GCP project. To visualize data from multiple GCP projects, create one data source per project.
Add the data source
To add the Google BigQuery data source:
- Click Connections in the left-side menu.
- Click Add new connection.
- Type
BigQueryin the search bar. - Select Google BigQuery.
- Click Add new data source.
Configure settings
Authentication
Google BigQuery data source supports multiple authentication methods. Choose the method that best fits your deployment environment.
Google Service Account key
Use this method when running Grafana outside of Google Cloud Platform, or when you need explicit credentials.
To configure service account authentication:
- Create a Google Cloud Platform (GCP) Service Account.
- Assign the following roles to the service account:
- BigQuery Data Viewer - Provides read access to BigQuery data
- BigQuery Job User - Allows running BigQuery jobs
- Create and download a JSON key file for the service account.
- In the data source configuration, select Google Service Account Key as the authentication type.
- Upload the JSON key file or paste its contents.
Google Metadata Server
Use this method when running Grafana on a Google Compute Engine (GCE) virtual machine.
When Grafana runs on a GCE virtual machine, it can automatically retrieve the default project ID and authentication token from the metadata server. To use this method:
- Ensure your virtual machine has a service account configured as the default account.
- Assign the service account the BigQuery Data Viewer and BigQuery Job User roles.
- In the data source configuration, select Google Metadata Server as the authentication type.
Service account impersonation
Use service account impersonation when you need to delegate access to BigQuery without distributing service account keys.
To configure service account impersonation:
- Ensure the service account used by the plugin has the
iam.serviceAccounts.getAccessTokenpermission. This permission is included in the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator). - Ensure the service account being impersonated has the following roles:
- BigQuery Data Viewer
- BigQuery Job User
- In the data source configuration, enable Service Account Impersonation.
- Enter the email address of the service account to impersonate.
Workload Identity Federation
Use Google Cloud Workload Identity Federation (WIF) to let Grafana users authenticate to BigQuery with an external identity provider (such as Okta or another OIDC provider) instead of a service account key.
Note
This authentication method is available on Grafana Cloud only. Grafana Cloud exchanges the signed-in user’s external OIDC token for a short-lived Google Cloud access token before the request reaches the plugin.
Configuring Workload Identity Federation involves three systems: Google Cloud, your Grafana Cloud stack, and the data source itself.
In Google Cloud
- Create a Workload Identity Pool and Provider that trusts your OIDC identity provider. When configuring the provider, set up attribute mappings so that
google.subjectmaps to the relevant claim from your identity provider (for example,assertion.sub— the exact mapping depends on your provider’s claim format). - Grant the BigQuery permissions needed to run queries. How you grant them depends on whether you use service account impersonation:
- Without impersonation — grant the WIF pool principal directly:
- BigQuery Data Viewer
- BigQuery Job User
- With impersonation — create a service account, grant it those same roles, then grant the WIF pool principal the Service Account Token Creator role on that service account.
- Without impersonation — grant the WIF pool principal directly:
In Grafana Cloud
- Configure your Grafana Cloud stack’s SSO integration against the same OIDC provider, so the signed-in user’s identity is available for Grafana Cloud to exchange for a Google Cloud access token before the request reaches the plugin. Refer to Configure OAuth2 authentication for setup details.
In the data source configuration
Open the BigQuery data source settings and select Workload Identity Federation as the authentication type.
In the Workload Identity Pool Provider field, enter the full resource path of your provider:
projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>Note
Use the project number (a numeric ID such as
123456789), not the project ID (such asmy-project). You can find the project number on the Google Cloud Console home page.If you set up service account impersonation, enter the service account email in the Service account email field. If you granted permissions directly to the WIF pool, leave this blank.
Enter the Default project where your BigQuery queries will run.
Note
Credentials from Workload Identity Federation are tied to the signed-in user’s active session — there is no long-lived credential available to the Grafana backend. This means any feature that runs without a user present will not work, including alerting, scheduled reports, and public dashboards. If you rely on these features, use a service account key (JWT) instead.
Forward OAuth Identity
Use Forward OAuth Identity when you want to use Grafana’s Google OAuth authentication with BigQuery.
To configure Forward OAuth Identity:
- Configure Google OAuth authentication in Grafana.
- Add the following scopes to the OAuth application:
https://www.googleapis.com/auth/bigquery(required)https://www.googleapis.com/auth/drive(optional, for querying Google Sheets data)
- In the data source configuration, select Forward OAuth Identity as the authentication type.
- Enter the Default project where queries run.
Note
Credentials from Forward OAuth Identity are tied to the signed-in user’s active session — there is no long-lived credential available to the Grafana backend. This means any feature that runs without a user present will not work, including alerting, scheduled reports, and public dashboards. If you rely on these features, use a service account key (JWT) instead.
Additional settings
Expand the Additional Settings section to configure optional settings.
Verify the connection
Click Save & test to verify the connection. A successful test displays the message “Data source is working”. If you encounter errors, refer to Troubleshooting.
Provision the data source
You can define the data source in YAML files as part of the Grafana provisioning system. For more information, refer to Provisioning Grafana data sources.
Service account key with private key in secure JSON
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>
tokenUri: https://oauth2.googleapis.com/token
secureJsonData:
privateKey: <PRIVATE_KEY>Service account key with private key path
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>
tokenUri: https://oauth2.googleapis.com/token
privateKeyPath: '/etc/secrets/bigquery.pem'Google Metadata Server
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: gceGoogle Metadata Server with service account impersonation
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: gce
usingImpersonation: true
serviceAccountToImpersonate: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>Workload Identity Federation
Available on Grafana Cloud only.
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: workloadIdentityFederation
workloadIdentityPoolProvider: projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL>/providers/<PROVIDER>
wifServiceAccountEmail: <SERVICE_ACCOUNT_EMAIL> # optional
defaultProject: <DEFAULT_PROJECT_ID>Forward OAuth Identity
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: forwardOAuthIdentity
defaultProject: <DEFAULT_PROJECT_ID>
oauthPassThru: trueWith additional settings
apiVersion: 1
datasources:
- name: BigQuery
type: grafana-bigquery-datasource
editable: true
enabled: true
jsonData:
authenticationType: jwt
clientEmail: <SERVICE_ACCOUNT_EMAIL>
defaultProject: <DEFAULT_PROJECT_ID>
tokenUri: https://oauth2.googleapis.com/token
processingLocation: US
MaxBytesBilled: 5242880
serviceEndpoint: https://bigquery.googleapis.com/bigquery/v2/
secureJsonData:
privateKey: <PRIVATE_KEY>Provisioning configuration reference
Provision with Terraform
You can provision the data source using the Grafana Terraform provider.
Service account key
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "jwt"
clientEmail = "<SERVICE_ACCOUNT_EMAIL>"
defaultProject = "<DEFAULT_PROJECT_ID>"
tokenUri = "https://oauth2.googleapis.com/token"
})
secure_json_data_encoded = jsonencode({
privateKey = file("path/to/service-account-key.pem")
})
}Google Metadata Server
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "gce"
})
}With service account impersonation
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "gce"
usingImpersonation = true
serviceAccountToImpersonate = "<SERVICE_ACCOUNT_EMAIL>"
defaultProject = "<DEFAULT_PROJECT_ID>"
})
}Workload Identity Federation
Available on Grafana Cloud only.
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "workloadIdentityFederation"
workloadIdentityPoolProvider = "projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL>/providers/<PROVIDER>"
wifServiceAccountEmail = "<SERVICE_ACCOUNT_EMAIL>" # optional
defaultProject = "<DEFAULT_PROJECT_ID>"
})
}With additional settings
resource "grafana_data_source" "bigquery" {
type = "grafana-bigquery-datasource"
name = "BigQuery"
json_data_encoded = jsonencode({
authenticationType = "jwt"
clientEmail = "<SERVICE_ACCOUNT_EMAIL>"
defaultProject = "<DEFAULT_PROJECT_ID>"
tokenUri = "https://oauth2.googleapis.com/token"
processingLocation = "US"
MaxBytesBilled = 5242880
serviceEndpoint = "https://bigquery.googleapis.com/bigquery/v2/"
})
secure_json_data_encoded = jsonencode({
privateKey = var.bigquery_private_key
})
}For more information, refer to the Grafana Terraform provider documentation.
Import queries from DoiT International BigQuery plugin
If you previously used the DoiT International BigQuery community plugin, you can import your existing queries into the Grafana BigQuery data source.
To import queries:
- Open the dashboard containing queries from the DoiT International plugin.
- Edit each panel and change the data source to Grafana BigQuery.
- Save the dashboard.
Note
Imported queries are converted to raw SQL queries.


