GCP Permissions on the Customer Project
BPP connects to the customer's Google Cloud project to read data from BigQuery, create internal datasets and tables, and run queries.
There are two ways to grant BPP access to the customer's project:
- Direct access — grant the BPP service account roles directly on the customer's project.
- Service account impersonation — create a dedicated service account on the customer's project, grant it the required roles, then grant BPP permission to impersonate it.
Both methods require the same BigQuery roles.
info
These permissions apply to the customer's project (the gcp_project_id configured in the BigQuery connection).
Required BigQuery roles
| Role | Purpose |
|---|---|
roles/bigquery.dataEditor | Dataset and table operations |
roles/bigquery.user | Query execution |
roles/bigquery.resourceViewer | List projects and datasets |
roles/serviceusage.serviceUsageConsumer | Set quota for billing |
Option 1: Direct access
Grant both roles directly to the BPP service account on the customer's project.
Google Cloud Platform UI
Navigate to the customer's project IAM page and follow the official GCP documentation to grant the principal terraform-admin@bpp-platform-prod.iam.gserviceaccount.com the following roles:
- BigQuery Data Editor
- BigQuery User
- BigQuery Resource Viewer
- Service Usage Consumer
gcloud
BPP_SA="terraform-admin@bpp-platform-prod.iam.gserviceaccount.com"
CUSTOMER_PROJECT="<customer-gcp-project-id>"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$BPP_SA" \
--role="roles/bigquery.dataEditor"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$BPP_SA" \
--role="roles/bigquery.user"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$BPP_SA" \
--role="roles/bigquery.resourceViewer"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$BPP_SA" \
--role="roles/serviceusage.serviceUsageConsumer"
Terraform
variable "bpp_service_account" {
type = string
default = "terraform-admin@bpp-platform-prod.iam.gserviceaccount.com"
}
variable "customer_project_id" {
type = string
}
resource "google_project_iam_member" "bpp_bigquery_data_editor" {
project = var.customer_project_id
role = "roles/bigquery.dataEditor"
member = "serviceAccount:${var.bpp_service_account}"
}
resource "google_project_iam_member" "bpp_bigquery_user" {
project = var.customer_project_id
role = "roles/bigquery.user"
member = "serviceAccount:${var.bpp_service_account}"
}
resource "google_project_iam_member" "bpp_bigquery_resource_viewer" {
project = var.customer_project_id
role = "roles/bigquery.resourceViewer"
member = "serviceAccount:${var.bpp_service_account}"
}
resource "google_project_iam_member" "bpp_service_usage_consumer" {
project = var.customer_project_id
role = "roles/serviceusage.serviceUsageConsumer"
member = "serviceAccount:${var.bpp_service_account}"
}
Option 2: Service account impersonation
Create a dedicated service account on the customer's project, grant it the required BigQuery roles, then grant BPP permission to impersonate it.
Google Cloud Platform UI
Step 1: Create the service account with the required roles
Follow the official GCP documentation to create a service account, granting it the roles:
- BigQuery Data Editor
- BigQuery User
- BigQuery Resource Viewer
- Service Usage Consumer
Step 2: Allow BPP to impersonate the service account
Follow the official GCP documentation to grant terraform-admin@bpp-platform-prod.iam.gserviceaccount.com the role:
- Service Account Token Creator
gcloud
Step 1: Create the service account
CUSTOMER_PROJECT="<customer-gcp-project-id>"
CUSTOMER_SA_NAME="bpp-access"
gcloud iam service-accounts create "$CUSTOMER_SA_NAME" \
--project="$CUSTOMER_PROJECT" \
--display-name="BPP Access"
Step 2: Grant the required BigQuery roles
CUSTOMER_SA="bpp-access@${CUSTOMER_PROJECT}.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$CUSTOMER_SA" \
--role="roles/bigquery.dataEditor"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$CUSTOMER_SA" \
--role="roles/bigquery.user"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$CUSTOMER_SA" \
--role="roles/bigquery.resourceViewer"
gcloud projects add-iam-policy-binding "$CUSTOMER_PROJECT" \
--member="serviceAccount:$CUSTOMER_SA" \
--role="roles/serviceusage.serviceUsageConsumer"
Step 3: Allow BPP to impersonate the service account
BPP_SA="terraform-admin@bpp-platform-prod.iam.gserviceaccount.com"
gcloud iam service-accounts add-iam-policy-binding "$CUSTOMER_SA" \
--member="serviceAccount:$BPP_SA" \
--role="roles/iam.serviceAccountTokenCreator"
Terraform
variable "bpp_service_account" {
type = string
default = "terraform-admin@bpp-platform-prod.iam.gserviceaccount.com"
}
variable "customer_project_id" {
type = string
}
resource "google_service_account" "bpp_access" {
project = var.customer_project_id
account_id = "bpp-access"
display_name = "BPP Access"
}
resource "google_project_iam_member" "bpp_bigquery_data_editor" {
project = var.customer_project_id
role = "roles/bigquery.dataEditor"
member = "serviceAccount:${google_service_account.bpp_access.email}"
}
resource "google_project_iam_member" "bpp_bigquery_user" {
project = var.customer_project_id
role = "roles/bigquery.user"
member = "serviceAccount:${google_service_account.bpp_access.email}"
}
resource "google_project_iam_member" "bpp_bigquery_resource_viewer" {
project = var.customer_project_id
role = "roles/bigquery.resourceViewer"
member = "serviceAccount:${google_service_account.bpp_access.email}"
}
resource "google_project_iam_member" "bpp_service_usage_consumer" {
project = var.customer_project_id
role = "roles/serviceusage.serviceUsageConsumer"
member = "serviceAccount:${var.bpp_service_account}"
}
resource "google_service_account_iam_member" "bpp_impersonation" {
service_account_id = google_service_account.bpp_access.name
role = "roles/iam.serviceAccountTokenCreator"
member = "serviceAccount:${var.bpp_service_account}"
}
What BPP does on the customer project
| Resource | Description |
|---|---|
| External dataset (read-only) | The customer's existing dataset containing user and event tables. BPP reads schema and data but never modifies this dataset. |
| Internal dataset | Created by BPP (e.g., {customer}_internal). Contains all platform-managed tables and views. Location is matched to the external dataset. |
bpp_schema_info table | Metadata table inside the internal dataset that tracks which tables and fields BPP is aware of. |
| AI model result tables | Tables for latest and historical AI model outputs (e.g., interest_analysis_bpp, historical_interest_analysis_bpp). |
| AI model views | BigQuery views that expose the latest AI model results with a user-friendly schema. |
| Queries | SELECT, COUNT, and JOIN queries to compute persona views, audience overlaps, distinct field values, and aggregation metrics. |
INFORMATION_SCHEMA.JOBS | Read-only query against the project's job metadata to sum bytes billed per day for a given source table, used to enforce a daily bytes budget and prevent uncontrolled billing. Requires roles/bigquery.resourceViewer. |
caution
BPP performs destructive schema sync when a data source is re-activated: it deletes and recreates all internal tables. The customer's external dataset is never modified.