In the Cloud Console, go to: IAM & Admin > Service Accounts
Click on 'CREATE SERVICE ACCOUNT'
Fill in the service account name ('elementary') and account description ('Elementary Data') and click 'CREATE AND
CONTINUE':
Now we need to configure the relevant permissions for this new service account.
Select the following role: BigQuery Job User (you will need to grant read access to specific datasets later).
The last step is optional, skip it and press done.
Press on the dots icon to the right of your screen for your new service account and select 'Manage keys':
Press on 'ADD KEY' and select 'Create new key':
Use the 'JSON' option radio button and press 'CREATE':
This will automatically generate and download a JSON file with your private key information for this service account.
This JSON file provides the credentials to programmatically connect and work with your BigQuery environment.
Click on the three dots icon next to the dataset name, then Share.
Click the "ADD PRINCIPAL" button on the top right corner.
Fill out the form:
In the "New principals" textbox, write the email address of your user.
In the "Select a role" dropdown menu, choose the desired role (BigQuery Data Viewer for your Elementary dataset, BigQuery Metadata Viewer, BigQuery Resource Viewer for your dbt dataset).
Click "Save".
Make sure to grant the correct access to your Elementary dataset and your dbt dataset.
Elementary cloud doesn't require read permissions to your tables and schemas, but only the following:
Read-only access to the elementary schema.
Access to read metadata in information schema and query history, related to the tables in your dbt project.
It is recommended to create a user using the instructions specified above to avoid granting excess privileges.
For more details, refer to security and privacy.