Skip to main content
Get your CloudLink connection up and running with Google BigQuery. This guide covers security architecture, service account setup, IAM permissions, and configuration steps.

Secure Direct Access

Elementum provides secure, in-place data access to your BigQuery datasets:

Authentication

Service Account credentials permit Elementum access to defined datasets and tables. You retain full control over the data and can terminate access at any time.

In-Place Access

Data stays in your BigQuery project. No data is copied or moved to external systems.

How It Works

1

Google Cloud Side

A specific dataset and defined set of tables with IAM permissions (e.g., read/write, read-only) are configured to enable business processes.
2

Elementum Side

Further access to view the data within Elementum is restricted at the user level through access policies.

Direct Connect Architecture

This connection allows for read/write access and the ability to execute workflows on your data:
Your Google Cloud Project:
  • Contains your data (datasets, tables, views)
  • Grants access to Elementum Service Account with appropriate IAM roles
  • Network policies can restrict access to known Elementum Platform IP addresses

Security Architecture

Data Encryption

At Rest:
  • Service Account JSON encrypted using industry-standard algorithms
  • Credentials encrypted and never returned outside internal system
In Transit:
  • All traffic encrypted using TLS
  • Secure connection via BigQuery API

Access Control

Network Security:
  • VPC Service Controls support
  • Authorized networks configuration
Authentication:
  • Service Account with JSON key
  • IAM-based role permissions

Whitelist Elementum IP Addresses (Optional)

If you use VPC Service Controls or authorized networks, configure them to allow connections from these IP addresses: 
44.210.166.136
44.209.114.114
52.72.254.246
Note: BigQuery uses Google’s global network and doesn’t require IP whitelisting by default. IP restrictions are only needed if you’ve configured VPC Service Controls or other network-level restrictions.

Setting up Elementum Access in Google Cloud

Prerequisites

Before starting the setup:
  1. Ensure you have Project Owner or IAM Admin access in Google Cloud
  2. Have the BigQuery API enabled in your project
  3. Identify which datasets and tables need Elementum access
  4. Plan your access level (read-only vs read/write)

Setup Steps Overview

1

Create Service Account

Create a dedicated service account for Elementum access.
2

Create Platform Dataset

Create an empty dataset for Elementum platform operations. This is NOT where your data lives.
3

Grant IAM Roles

Assign appropriate BigQuery roles to the service account.
4

Generate JSON Key

Download the service account key file for authentication.

Run These Steps in Google Cloud Console

1

Create Service Account

Navigate to IAM & Admin > Service Accounts in Google Cloud Console:
  1. Click Create Service Account
  2. Service account name: elementum-cloudlink
  3. Service account ID: elementum-cloudlink (auto-generated)
  4. Description: Service account for Elementum CloudLink integration
  5. Click Create and Continue
You’ll grant roles in the next steps. Click Done to create the service account first.
2

Create Platform Dataset for Elementum

In the BigQuery Console:
  1. Select your project
  2. Click Create Dataset
  3. Dataset ID: elementum_platform
  4. Data location: Same region as your data (e.g., US, EU)
  5. Click Create Dataset
Critical: The elementum_platform dataset is for Elementum’s internal operations. Do NOT put your data tables here. Your data tables should remain in your existing datasets.
3

Grant Service Account Access to Platform Dataset

Grant the service account full access to the platform dataset:
  1. Click on the elementum_platform dataset
  2. Click Sharing > Permissions
  3. Click Add Principal
  4. Principal: elementum-cloudlink@YOUR_PROJECT.iam.gserviceaccount.com
  5. Role: BigQuery Data Owner
  6. Click Save
Or via gcloud CLI:
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:elementum-cloudlink@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataOwner" \
  --condition="expression=resource.name.startsWith('projects/YOUR_PROJECT_ID/datasets/elementum_platform'),title=elementum-platform-access"
4

Grant BigQuery Job User Role

The service account needs to run queries:
  1. Go to IAM & Admin > IAM
  2. Find the elementum-cloudlink service account
  3. Click Edit (pencil icon)
  4. Click Add Another Role
  5. Select BigQuery Job User
  6. Click Save
Or via gcloud CLI:
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:elementum-cloudlink@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.jobUser"
5

Grant Access to Your Data Datasets

For each dataset containing data you want to access:
  1. Navigate to your data dataset in BigQuery
  2. Click Sharing > Permissions
  3. Click Add Principal
  4. Principal: elementum-cloudlink@YOUR_PROJECT.iam.gserviceaccount.com
  5. Role: BigQuery Data Editor
  6. Click Save
# Via gcloud CLI
bq add-iam-policy-binding \
  --member="serviceAccount:elementum-cloudlink@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataEditor" \
  YOUR_PROJECT_ID:your_dataset
IAM Roles Reference:
RolePermissions
BigQuery Data ViewerRead tables, views, and metadata
BigQuery Data EditorRead + Insert, update, delete data
BigQuery Data OwnerFull control including delete tables
BigQuery Job UserRequired to run queries
6

Generate Service Account JSON Key

Download the authentication credentials:
  1. Go to IAM & Admin > Service Accounts
  2. Click on elementum-cloudlink service account
  3. Go to Keys tab
  4. Click Add Key > Create New Key
  5. Select JSON format
  6. Click Create
  7. Save the downloaded JSON file securely
Security: Store this JSON key securely. It provides full access to the permissions you’ve granted. Never commit it to version control or share it publicly.
After completing the Google Cloud setup, configure the connection in Elementum:
1

Navigate to CloudLink Settings

Go to Settings > Cloud Links > Add Connection and select BigQuery.
2

Enter Connection Details

Fill in the connection form:
FieldValueDescription
NameProduction BigQueryDescriptive name for your connection
Project IDyour-gcp-project-idYour Google Cloud project ID
Dataset IDelementum_platformThe empty platform dataset (NOT your data dataset)
LocationUS or EUDataset region (must match platform dataset location)
Service Account JSON{...}Paste entire contents of the downloaded JSON key file
Read OnlyToggleEnable for read-only access
Critical - Dataset ID Field: Enter the empty platform dataset you created (e.g., elementum_platform), NOT your data dataset. If you enter your data dataset here, it will be hidden from workflow building and you won’t be able to access your data.
3

Configure Resource Scheduler

Set how frequently Elementum syncs with BigQuery:
SettingDefaultDescription
Interval24Number of time units between syncs
Time UnitHourMinutes, Hours, or Days
Cost consideration: More frequent syncs consume more BigQuery query slots. For large datasets, consider longer intervals unless real-time data is required.
4

Test and Save

Click Save to test the connection and save if successful:
  • Validates Service Account JSON format
  • Tests authentication with BigQuery API
  • Verifies dataset access
If saved successfully, your connection is properly configured.
5

Configure Data Access

After saving the connection:
  1. Select Datasets: Choose which datasets to expose in Elementum
  2. Select Tables: Pick specific tables from each dataset
  3. Configure Field Mapping: Map columns to Elementum field types
  4. Set Primary Key: Identify the unique identifier column for each table

Verification and Testing

After completing the setup, verify everything is working correctly:
1

Test Service Account Access

In Google Cloud Console, verify the service account has the correct permissions:
  1. Go to IAM & Admin > IAM
  2. Find elementum-cloudlink service account
  3. Verify it has:
    • BigQuery Job User at project level
    • BigQuery Data Owner on elementum_platform dataset
    • BigQuery Data Viewer or BigQuery Data Editor on your data datasets
2

Test Query Access

You can test the service account by impersonating it:
# Using gcloud CLI
gcloud auth activate-service-account \
  --key-file=path/to/your-key-file.json

# Test query
bq query --use_legacy_sql=false \
  'SELECT COUNT(*) FROM `your_project.your_dataset.your_table`'
3

Test in Elementum

  1. Verify the connection shows as Connected in CloudLink settings
  2. Browse to the integrated table in Elementum
  3. Verify data loads correctly
  4. Test creating/updating a record (if write access was granted)

Troubleshooting

Cannot Connect from Elementum:
  • Verify the Service Account JSON is complete and correctly formatted
  • Confirm the project ID matches your GCP project
  • Check that BigQuery API is enabled in the project
  • Verify VPC Service Controls aren’t blocking access (if applicable)
“Permission denied” Error:
  • Ensure BigQuery Job User role is granted at project level
  • Verify the service account email is correct in IAM policies
Tables not visible in Elementum:
  • Most common cause: You entered your data dataset in the Dataset ID field instead of the platform dataset
  • Verify IAM roles are granted on the correct datasets
  • Check that the service account has BigQuery Data Viewer or BigQuery Data Editor on your data datasets
  • Confirm tables exist in the specified datasets
“Access Denied: Table not found” Errors:
  • Verify dataset-level permissions are granted
  • Check that the service account has access to the specific table
  • Ensure the Location in Elementum matches the dataset location
“User does not have permission to run query” Error:
  • Grant BigQuery Job User role at the project level
  • This role is required to execute any queries
Slow Query Performance:
  • Consider using partitioned tables for large datasets
  • Review and optimize query patterns
  • Check BigQuery slot availability
  • Consider reserved slots for consistent performance
High Costs:
  • Increase sync interval to reduce query frequency
  • Use table partitioning and clustering
  • Consider using BigQuery BI Engine for frequently accessed data

Security Best Practices

Principle of Least Privilege

  • Grant only necessary IAM roles to the service account
  • Use BigQuery Data Viewer when write access isn’t required
  • Grant access at dataset level, not project level
  • Regularly audit IAM policies

Network Security

  • Consider VPC Service Controls for sensitive data
  • Use authorized networks if applicable
  • Monitor BigQuery audit logs
  • Set up alerts for unusual access patterns

Key Management

  • Rotate service account keys periodically (recommended: every 90 days)
  • Store keys securely (use Secret Manager in production)
  • Delete unused keys
  • Consider workload identity federation for enhanced security

Monitoring

  • Enable BigQuery audit logs
  • Monitor query costs and usage
  • Set up billing alerts
  • Review access patterns via Cloud Logging

Next Steps

Configure Apps

Set up your first app in Elementum using your connected data

Create Automations

Build workflows that act on your BigQuery data

Setup AI Features

Enable AI-powered search, automations, and insights

Data Best Practices

Optimize your data models for Elementum

Additional Resources

CloudLink Overview

Learn more about CloudLink architecture

BigQuery Documentation

Official Google BigQuery documentation

IAM Best Practices

Google Cloud IAM security guide

Get Support

Contact our team for setup assistance
This guide reflects the latest BigQuery and Elementum best practices. For additional assistance, contact support@elementum.io.