What are the permissions needed for GA exports to BigQuery?

Question

I'd like to set up a GA export to BigQuery. I'm following the steps as described here. In step 2.5, it states:

Add the service account to your project.

Add [email protected] as a member of the project, and ensure that permission at the project level is set to Editor (as opposed to BigQuery Data Editor). Editor permission is required in order to export data from Analytics to BigQuery.

However, I'm reluctant to provide such elevated permissions ("project editor" will allow full access to all resources in my project) on my project.

Why does the GA export need such elevated permissions in order to just talk to BigQuery, and is there a way to provide minimum permissions to the service account instead?

Answer 1

I suspect the documentation is outdated, and hasn't been kept up to date with changes to BigQuery's IAM and permissions.

You do not need to give "Project Editor" access to the service account. And in fact, providing such elevated security permission on a generic service account is violating the principle of least privileges.

Instead, create a custom role within IAM with the following minimum BigQuery permissions for the export to work. This way, it can only interact with BigQuery in your project:

1. bigquery.datasets.create (allows GA to create the dataset for export)
2. bigquery.jobs.create (allows GA to run load jobs)
3. bigquery.tables.create (allow GA to create the tables)
4. bigquery.tables.delete (allows GA to delete intraday tables)