This comprehensive guide shows you how to create a Google Cloud service account with the necessary permissions for BigQuery MCP integration, using both the Google Cloud Console UI and command-line tools.
Table of Contents
A Google Cloud Platform account
An existing GCP project (or create a new one)
Billing enabled on your project
Project Owner or Editor permissions, or specific IAM roles:
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountKeyAdmin
roles/resourcemanager.projectIamAdmin
Method 1: Google Cloud Console (UI)
Step 1: Access the Google Cloud Console
Sign in with your Google account
Select your project from the dropdown at the top of the page
Step 2: Enable Required APIs
Navigate to APIs & Services → Library
Search for "BigQuery API" and click on it
Click Enable if not already enabled
Repeat for "Cloud Resource Manager API" if creating a new project
Step 3: Create a Service Account
Navigate to IAM & Admin → Service Accounts
Click + CREATE SERVICE ACCOUNT
Fill in the service account details:
Service account name: bigquery-mcp-service
Service account ID: bigquery-mcp-service (auto-generated)
Description: Service account for BigQuery MCP access
Click CREATE AND CONTINUE
Step 4: Grant Permissions
In the Grant this service account access to project section:
Choose one of the following roles based on your needs:
For read-only access: Search for "BigQuery Data Viewer" and select BigQuery Data Viewer (roles/bigquery.dataViewer)
For query execution: Search for "BigQuery User" and select BigQuery User (roles/bigquery.user)
For full admin access: Search for "BigQuery Admin" and select BigQuery Admin (roles/bigquery.admin)
Skip the optional "Grant users access to this service account" section
Step 5: Create and Download Service Account Key
In the Service Accounts list, find your newly created service account
Click on the service account name to open its details
Click ADD KEY → Create new key
Select JSON as the key type
The JSON key file will automatically download to your computer
Important: Store this file securely and never share it publicly
Step 6: Note Your Project ID
In the Google Cloud Console header, note your Project ID
You'll need this for the MCP configuration
Method 2: Command Line (gcloud CLI)
Step 1: Install and Setup gcloud CLI
Authenticate with your Google account:
Set your project (replace YOUR_PROJECT_ID):
Step 2: Enable Required APIs
Step 3: Create Service Account
Step 4: Grant BigQuery Permissions
Step 5: Create and Download Service Account Key
Required Permissions
Configure the required roles and permissions to complete this task. You will need the BigQuery User role (roles/bigquery.user), the BigQuery Data Viewer role (roles/bigquery.dataViewer), or equivalent IAM permissions to connect to the instance.
The service account needs one of the following permission configurations for BigQuery MCP:
Recommended Roles (Choose One)
BigQuery User (roles/bigquery.user) - Standard user access to run queries and jobs
BigQuery Data Viewer (roles/bigquery.dataViewer) - Read-only access to datasets and tables
BigQuery Admin (roles/bigquery.admin) - Full administrative access to BigQuery resources
Alternative Granular Permissions (if you prefer minimal permissions)
Instead of BigQuery Admin, you can grant these specific permissions:
bigquery.datasets.getIamPolicy
bigquery.tables.updateData
To grant granular permissions via CLI:
Converting to Base64
For some configurations, you may need to convert your service account JSON to base64 encoding.
Copy the entire contents of your bigquery-service-account.json file
Paste it into the text area on the website
Click Encode to get the base64 string
Copy the resulting base64 string
Method 2: Command Line (macOS/Linux)
Method 3: Command Line (Windows)
Once you have your service account JSON file (and optionally base64 encoded), you can configure the BigQuery MCP:
Download the GenAI toolbox:
Add the MCP configuration:
Troubleshooting
Error: "Permission denied"
Ensure your user account has the necessary IAM permissions
Verify the service account has the correct roles assigned
Check that the required APIs are enabled
Error: "Service account not found"
Verify the service account was created successfully
Check that you're using the correct project ID
Ensure the service account email format is correct
Error: "Invalid key file"
Verify the JSON file is valid and not corrupted
Check file permissions and ensure it's readable
Make sure the file path in the configuration is correct
Error: "Quota exceeded"
Check your project's API quotas
Ensure billing is enabled on your project
Verify you haven't exceeded service account limits
Verification Commands
Security Best Practices
Store credentials securely: Never commit service account keys to version control
Use least privilege: Grant only the minimum permissions needed
Rotate keys regularly: Create new keys and delete old ones periodically
Monitor usage: Enable audit logging to track service account usage
Use short-lived tokens when possible: Consider using Workload Identity Federation for enhanced security
If you encounter issues:
Check the Claude MCP documentation for configuration issues
