Skip to main content
This guide explains how to connect Coalesce Quality to BigQuery securely.We need this information so we can collect relevant data about your tables.To be able to finish this guide, you’ll need the following:
→ Access to modify your BigQuery configuration⏱️ Estimated time to finish: 10 minutes.

Data we collect

For the automated data anomaly testing, we collect the following:
  • Number of rows in every table in the monitored dataset(s)
  • Timestamp of the last change of data in all tables in the monitored dataset(s)
To provide out-of-the-box monitors for volume and freshness, we don’t require access to your actual data. For custom monitors, however, access to query your raw data is required. Permission overview:
PermissionDescriptionIncluded in BQ rolePurpose
bigquery.datasets.getGet metadata about a dataset.Data Viewerautomated / custom monitors
bigquery.datasets.getIamPolicyRequired by the Cloud Console to give the user the option of getting a dataset’s IAM permissions. Fails open. The ability to actually perform the operation of getting the permissions is gated by the bigquery.datasets.get permission.Data Viewerautomated / custom monitors
bigquery.jobs.createRun jobs (including queries) within the project.Job Userautomated / custom monitors
bigquery.jobs.getGet data and metadata on any job — required to retrieve the result of the metadata queries we submit.Job Userautomated / custom monitors
bigquery.jobs.listList all jobs and retrieve metadata on any job submitted by any user. For jobs submitted by other users, details and metadata are redacted.Resource Viewerquery logs
bigquery.jobs.listAllList all jobs and retrieve metadata on any job submitted by any user.Resource Viewerquery logs
bigquery.tables.getGet table metadata.Data Viewerautomated monitors
bigquery.tables.getDataGet table data.Data Viewercustom monitors (optional — skip for metadata-only)
bigquery.tables.listList tables and metadata on tables.Data Viewerautomated / custom monitors
bigquery.routines.getGet metadata for user-defined functions, table-valued functions and stored procedures.Data Viewerconnection validation only
bigquery.routines.listList routines in a dataset.Data Viewerconnection validation only
resourcemanager.projects.getData/Jobs/Resource ViewerAll

Setup BigQuery access

Create a dedicated Coalesce Quality role

  1. Select the project with your BigQuery instance in project selection combobox title
  2. Go to IAM and Admin > Roles title
  3. Click the Create Role button on top.
  4. Fill in information as follows
    1. Title: Coalesce Quality Monitoring
    2. Description: Coalesce Quality Monitoring role
    3. Role launch stage: General Availability
    4. Assigned permissions:
    bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.routines.get
bigquery.routines.list
resourcemanager.projects.get
  5. Confirm and save

Create a service account

  1. Go to IAM and Admin > Service Accounts
  2. Click the Create Service Account button
  3. Fill in information as follow:
    1. Service account name: synq-monitoring
    2. Service account description: Coalesce Quality Monitoring Service Account title
  4. Click Create and continue
  5. In section Grant this service account access to the project, select the previously created role title
    1. Click Done

Create a service account key

  1. Open your newly created Service Account title
  2. Switch to Keys tab title
  3. Create a new JSON key title
  4. Store the newly created JSON key securely.

Network Configuration

If your BigQuery project has firewall rules or VPC configurations that restrict access, you may need to whitelist our IP addresses. See Coalesce Quality IP Whitelist for the complete list of IP addresses by region.
Once you’ve successfully completed these steps, input the following data in the platform.

Input data in the Coalesce Quality UI

Integration name

For example BigQuery

Project ID

You can see all your projects and the associated IDs by clicking the drop-down and looking at the ID column of the project. title

Service account key

The content of the JSON file you created earlier in the guide

Region

Location of your BigQuery instance (typically US or EU)

Blacklisted datasets (optional)

Comma-separated list of dataset name patterns to exclude from ingestion. Use * to match any string, e.g. dbt_pr_*.

Datasets (optional)

Comma-separated list of dataset names to scrape explicitly (e.g. analytics, mart_core). When set, only these datasets are queried and the service account does not need the project-level bigquery.datasets.list permission — this lets you grant the Coalesce Quality Monitoring role on individual datasets instead of the whole project. Leave empty to auto-discover every visible dataset in the project.

Audit table FQN (optional)

Fully-qualified table name (e.g. my-project.analytics.synq_sql_test__audit) where Coalesce Quality writes SQL test execution results. The integration creates the table automatically if it does not yet exist. Leave empty if you do not run SQL tests. Using this field requires two extra permissions on the target dataset that are not in the default role above: bigquery.tables.create and bigquery.tables.updateData. Add them to the Coalesce Quality Monitoring role (or grant them just on the audit dataset) before enabling the feature. Enables ingestion of query history from INFORMATION_SCHEMA.JOBS, which powers anomaly-monitor training, data-usage insights, unused-table detection, and cost signals. Expect a small additional query cost (typically a few dollars per month).