Console

1. Go to theBigQuery page.

   Go to BigQuery

2. In theExplorer pane, clickaddAdd.

   TheAdd data dialog opens.

3. In theFilter By pane, in theData Source Type section, selectDatabases.

   Alternatively, in theSearch for data sources field, you can enteralloydb.

4. In theFeatured data sources section, clickGoogle Cloud AlloyDB.

5. Click theAlloyDB: BigQuery Federation solution card.

6. In theExternal data source dialog, enter the following information:

   • ForConnection type, selectAlloyDB.
   • ForConnection ID, enter an identifier for the connectionresource. Letter, numbers, and underscores are allowed. For example,bq_alloydb_connection.
   • ForData location, select a BigQuerylocation (or region) that iscompatible with your external data source region.
   • Optional: ForFriendly name, enter a user-friendly name forthe connection, such asMy connection resource. The friendly namecan be any value that helps you identify the connectionresource if you need to modify it later.
   • Optional: ForDescription, enter a description for thisconnection resource.
   • Optional:Encryption If you want to use acustomer-managed encryption key (CMEK) to encrypt your credentials, selectCustomer-managed encryption key (CMEK) and then select a customer-managed key. Otherwise, your credentials are protected by the default Google-owned and Google-managed encryption key.
   • ForDatabase name, enter the name of the database.
   • ForDatabase username, enter the username for the database.
   • ForDatabase password, enter the password for the database.
     • Optional: To see the password, clickvisibility_offShow password.

   • ForAlloyDB Instance, enter the connection URI of the AlloyDBprimary or read instance with the//alloydb.googleapis.com prefix.

     • Sample URI://alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION_ID/clusters/CLUSTER_NAME/instances/INSTANCE_ID
     Note: If the same user credentials are valid for other databases inthe external data source, that user can query those databasesthrough the same connection resource.

7. ClickCreate connection.

8. ClickGo to connection.

9. In theConnection Info pane, copy the service account ID for use in thenext step to grant the correct IAM permissions.

bq

Enter thebq mk commandwith the following flags:

bqmk\--connection\--location=LOCATION\--project_id=PROJECT_ID\--connector_configuration'{    "connector_id": "google-alloydb",    "asset": {      "database": "DATABASE",      "google_cloud_resource": "RESOURCE_PATH"    },    "authentication": {      "username_password": {        "username": "USERNAME",        "password": {          "plaintext": "PASSWORD"        }      }    }  }'\CONNECTION_ID

Replace the following:

• LOCATION: Specify a region of the BigQuerydataset to be combined with the data from AlloyDB. Queries that usethis connection must be run from this region.
• PROJECT_ID: Enter your Google Cloud project ID.
• DATABASE: Enter the database name.
• RESOURCE_PATH: Enter the connection URI of the AlloyDB primary or read instance with the//alloydb.googleapis.com prefix.
  • Sample URI://alloydb.googleapis.com/projects/PROJECT_ID/locations/REGION_ID/clusters/CLUSTER_NAME/instances/INSTANCE_ID
• USERNAME: Enter the database user's name.
• PASSWORD: Enter the database user's password.
• CONNECTION_ID: Enter a connection ID to identify thisconnection.

Optional flag:

• --kms_key_name: A customer-managed encryption key. If omitted, credentials are protected by the default Google-owned and Google-managed encryption key.

API

Within the BigQuery Connection API, you can invokeCreateConnection withintheConnectionService to instantiate a connection. See theclient library page for more details.

Console

1. Go to theIAM & Admin page.

   Go to IAM & Admin

2. Clickperson_addGrant Access.

   TheAdd principals dialog opens.

3. In theNew principals field, enter the service account nameBigQuery Connection Service Agent or the service account ID taken fromtheconnection information.

4. In theSelect a role field, selectAlloyDB, and then selectAlloyDB Client.

5. ClickSave.

gcloud

Use thegcloud projects add-iam-policy-bindingcommand:

gcloud projects add-iam-policy-bindingPROJECT_ID --member=serviceAccount:SERVICE_ACCOUNT_ID --role=roles/alloydb.client

Provide the following values:

• PROJECT_ID: Your Google Cloud project ID.
• SERVICE_ACCOUNT_ID: Replace project number inservice-PROJECT_NUMBER@gcp-sa-bigqueryconnection.iam.gserviceaccount.com and use it.

Console

1. Go to theBigQuery page.

   Go to BigQuery

   Connections are listed in your project,in a group calledConnections.

2. In the left pane, clickexploreExplorer:

   

   If you don't see the left pane, clicklast_pageExpand left pane to open the pane.

3. In theExplorer pane, expand your project name.

4. ClickConnections and then click the connection.

5. In theDetails pane, clickShare to share a connection.Then do the following:

   1. In theConnection permissions dialog, share theconnection with other principals by adding or editingprincipals.

   2. ClickSave.

bq

Use the followingset-iam-policy command:

bqset-iam-policyRESOURCEFILE_NAME

Replace the following:

• RESOURCE: Enter the resource name in theproject_id.region.connection_id orregion.connection_id format.
• FILE_NAME: Enter the filename that contains the IAM policy in a JSON format.

For more information about the set-iam-policy command, seeControl access to resources with IAM.

API

Use theprojects.locations.connections.setIAM methodin the BigQuery Connections REST API reference section andsupply an instance of thepolicy resource.