From e02f80455a151a0f45732bab76a34950f1466810 Mon Sep 17 00:00:00 2001
From: Bertil Hatt <bertil@geteppo.com>
Date: Fri, 14 Mar 2025 15:13:11 +0000
Subject: [PATCH] Require more roles for BigQuery connection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A prospect  mentioned that:
> EPPO document describes that the service account needs only roles/bigquery.jobUser .
> Don't need permission to read data?
> For example, roles/bigquery.user, roles/bigquery.dataViewer .
> The reason I asked this question is because I was getting permission errors on my test connection.
with a screen capture that reads:
> Failed to add database connection: Access Denied: Dataset <…>
> Permission bigquery.tables.create denied on dataset <…> (or it may not exist).
---
 docs/data-management/connecting-dwh/bigquery.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/data-management/connecting-dwh/bigquery.md b/docs/data-management/connecting-dwh/bigquery.md
index 9dcf6973..95e4fd06 100644
--- a/docs/data-management/connecting-dwh/bigquery.md
+++ b/docs/data-management/connecting-dwh/bigquery.md
@@ -17,6 +17,10 @@ Additionally, you will need to create a data environment for Eppo to write inter
 7. Under **Service account permissions**, add the following roles:
     - `BigQuery Job User (roles/bigquery.jobUser)`
       - Required
+    - `BigQuery User (roles/bigquery.user)`
+      - Required
+    - `BigQuery Darta Viewer (roles/bigquery.dataViewer )`
+      - Required
     - `Storage Admin (roles/storage.admin)`
       - Optional; required for using Eppo's [Track API](/sdks/event-logging/event-tracking)
       - Scoped to the Storage bucket to use for temporary storage of events before loading into BigQuery