Skip to main content

Connect to BigQuery

Learn how to connect your BigQuery data to Retool.

You can use the BigQuery integration to create a resource and make it available in Retool. Once complete, your users can write queries that interact with BigQuery data.

Requirements

The BigQuery integration requirements depend on whether you have a cloud-hosted or self-hosted Retool organization. You may also need to make BigQuery configuration changes before creating the resource.

Sufficient user permissions to create resources

All users for Retool organizations on Free or Team plans have global Edit permissions and can add, edit, and remove resources. If your organization manages user permissions for resources, you must be a member of a group with Edit all permissions.

Allow Retool to access the data source

If the data source is behind a firewall or restricts access based on IP address, then you must ensure that your Retool organization can access it. If necessary, configure your data source to allow access from Retool's IP addresses.

CIDR IP addresses
3.77.79.248/30
35.90.103.132/30
44.208.168.68/30
Individual IP addresses
3.77.79.249
3.77.79.250
35.90.103.132
35.90.103.133
35.90.103.134
35.90.103.135
44.208.168.68
44.208.168.69
44.208.168.70
44.208.168.71

Retool is building support for querying firewalled resources without allowlisting Retool’s IP address. To learn more or be considered for early access, contact cloud-connect@retool.com.

BigQuery settings and authentication

You must have sufficient access and familiarity with your BigQuery data source so you can provide:

  • Required connection settings (e.g., URL and server variables).
  • Authentication credentials (e.g., API keys).

In some cases, you may need to make changes to your BigQuery configuration, such as generating authentication credentials or allowing access through a firewall. Refer to the configuration and authentication sections to learn more.

Custom OAuth 2.0 client credentials

Authentication is performed using a custom OAuth 2.0 client app. You must create this client and then provide its credentials. Once configured, your users are redirected to BigQuery to sign in and authorize Retool to access data.

OAuth apps typically require the following values during creation:

  • OAuth callback URL: The URL to which users are redirected once they have successfully signed in.
  • Scopes : The permissions granted to Retool. Each scope defines a specific set of permissions (e.g., messages:read to read messages users:write to create new users). You must ensure that any scopes defined in your OAuth app matches the scopes you specify when configuring the resource.

Once you've created an OAuth app you can obtain its credentials, such as the Client ID and Client secret. You then provide these to configure Retool for OAuth authentication.

Refer to the BigQuery documentation for detailed instructions on creating an OAuth app.

Configure the resource

Sign in to your Retool organization and navigate to the Resources tab. Click Create new > Resource, then select BigQuery.

Configuration

Specify the name, location, and description to use for your BigQuery resource. Retool displays the resource name and type in query editors to help users identify them.

Provide the following configuration settings to create the resource. Depending on how your data source is configured, you may also need to provide optional settings for Retool to connect.

Name

The name to use for the resource.

Description

A description of the resource.

Region qualifier

The dataset's location, if outside the US.

RegionLocation
usUnited States
euEurope
us-central1Iowa, USA
us-east1South Carolina, USA
us-east4Northern Virginia, USA
us-east5Northern Virginia, USA
us-west1Oregon, USA
us-west2Los Angeles, USA
us-west3Salt Lake City, USA
us-west4Las Vegas, USA
northamerica-northeast1Montreal, Canada
northamerica-northeast2Toronto, Canada
southamerica-east1São Paulo, Brazil
southamerica-west1Santiago, Chile
europe-central2Warsaw, Poland
europe-north1Hamina, Finland
europe-west1Belgium
europe-west2London, UK
europe-west3Frankfurt, Germany
europe-west4Eemshaven, Netherlands
europe-west6Zürich, Switzerland
europe-west8Hamina, Finland
europe-west9London, UK
europe-southwest1Milan, Italy
asia-east1Changhua County, Taiwan
asia-east2Hong Kong
asia-northeast1Tokyo, Japan
asia-northeast2Osaka, Japan
asia-northeast3Seoul, South Korea
asia-south1Mumbai, India
asia-south2Delhi, India
asia-southeast1Jurong West, Singapore
asia-southeast2Jakarta, Indonesia
australia-southeast1Sydney, Australia
australia-southeast2Melbourne, Australia

Your dataset location is required so Retool can fetch the dataset's metadata to power query autocomplete. Defaults to region-us if no value is provided.

Disable converting queries to prepared statements

Whether to disable SQL injection protection that allows dynamically generated SQL using JavaScript.

Show write GUI mode only

Whether to prevent users from writing raw SQL statements and only make changes using GUI mode queries.

Override default outbound Retool region

Retool connects to your data source from the us-west-2 region. Choosing a different outbound region can improve performance through geographic proximity.

RegionLocation
us-west-2US West (Oregon)
eu-central-1Europe (Frankfurt, Germany)
ap-southeast-1Asia-Pacific (Singapore)

Authentication

The BigQuery integration supports the following authentication methods. Depending on which authentication method you use, you may need to make changes to your BigQuery configuration.

Google service account

Authenticate with a service account tied to a Google Cloud project. This method allows users to give Retool access to certain APIs or data with the service account's email address.

Retool recommends using service account authentication when you need to share credentials across users but limit Retool's access to a subset of data. This authentication flow restricts Retool's access to APIs or data shared with the service account email address only.

Refer to Google's service account documentation to learn more.

Scopes

Scopes govern what permissions Retool has once you connect your account authenticates. For some integrations, Retool automatically populates a set of recommended scopes to make full use of the integration. In some cases, you may need to specify the scopes for Retool to use.

You must ensure the key is granted access to the BigQuery Data Viewer and BigQuery User roles. Refer to the Google developer documentation for details on creating a service account key.

Custom OAuth 2.0 client credentials

Authentication is performed using a custom OAuth 2.0 client app. You must create this client and then provide its credentials. Once configured, your users are redirected to to sign in and authorize Retool to access data.

OAuth apps typically require the following values during creation:

  • OAuth callback URL: The URL to which users are redirected once they have successfully signed in.
  • Scopes : The permissions granted to Retool. Each scope defines a specific set of permissions (e.g., messages:read to read messages users:write to create new users). You must ensure that any scopes defined in your OAuth app matches the scopes you specify when configuring the resource.

Once you've created an OAuth app you can obtain its credentials, such as the Client ID and Client secret. You then provide these to configure Retool for OAuth authentication.

Refer to the documentation for detailed instructions on creating an OAuth app.

Scopes

Scopes govern what permissions Retool has once you connect your account authenticates. For some integrations, Retool automatically populates a set of recommended scopes to make full use of the integration. In some cases, you may need to specify the scopes for Retool to use.

Client ID

The client ID with which to authenticate.

Client secret

The client secret with which to authenticate.

Project ID

The project ID with which to authenticate.

Test the connection

Click Test Connection to verify that Retool can successfully connect to the data source. If the test fails, check the resource settings and try again.

Testing a connection only checks whether Retool can successfully connect to the resource. It cannot check whether the provided credentials have sufficient privileges or can perform every supported action.

Save the resource

Click Create resource to complete the setup. You can then click either Create app to immediately start building a Retool app or Back to resources to return to the list of resources.

Next steps

Your BigQuery resource is now ready to use. Check out related queries and code documentation to learn how to interact with BigQuery data.