- Query datasets and tables using standard SQL
- Explore schema metadata (projects, datasets, tables, columns)
- Run parameterized queries with cost guardrails in mind
- Read from views and materialized views
Common use cases and example apps
| Example app | Example prompt | Description |
|---|---|---|
| Executive metrics dashboard | Build a dashboard that shows weekly revenue and signups from your BigQuery marts tables, with filters by region. | Turn warehouse tables into charts in your app. The app runs SQL against BigQuery and renders KPIs and trends for stakeholders. |
| Internal reporting tool | Build an internal app where your team can run approved SQL reports against dataset analytics and export CSV. | Self-serve reporting on curated datasets. The app submits parameterized queries and returns result sets without giving users direct GCP console access. |
| Dataset explorer | Build a tool that lists datasets and tables I can access and shows column types and row counts. | Browse what’s in the warehouse. The app uses metadata APIs and lightweight queries to describe tables and schemas. |
| Customer health view | Join your CRM export in BigQuery with product usage and show a health score per account. | Combine modeled data for operational workflows. The app queries pre-joined or curated tables your data team maintains in BigQuery. |
| Scheduled insight page | Build a page that shows yesterday’s funnel metrics from BigQuery materialized views. | Surface daily or hourly aggregates. The app reads from views or summary tables that your pipelines refresh on a schedule. |
| Data validation UI | Build a small app that runs row counts and null checks on key columns after your pipeline runs. | Lightweight quality checks on top of SQL. The app runs targeted queries to confirm expectations after loads complete. |
How BigQuery connections work
- Authentication: The connector uses Workload Identity Federation with Google’s security token service. Short-lived access tokens are obtained and refreshed through Lovable’s connector gateway—not long-lived JSON keys stored in your repo.
- Gateway: Requests to the BigQuery API are proxied through the gateway. See Gateway-based connectors for token handling and per-project request limits.
- Scopes: The connection is created with BigQuery access scopes (including
https://www.googleapis.com/auth/bigqueryby default). What you can read or run still depends on IAM and dataset permissions on the service account you configure. - Workspace binding: You configure Google Cloud to trust identity tokens for a workspace-specific audience (see below). Use the Workload Identity Provider resource string and service account email in Lovable when creating the connection.
BigQuery query and storage costs are billed by Google Cloud to your GCP billing account, based on bytes processed, slots, and related usage—not by Lovable.
How to connect BigQuery
Workspace admins and owners can create BigQuery connections. When a connection is created, it can be linked to projects like other shared connectors so deployed apps use it where allowed.Prerequisites
Before connecting in Lovable, make sure you have:- A Google Cloud project with the BigQuery API enabled and the datasets you want to query
- Permission to configure IAM and Workload Identity Federation in that project (or a dedicated admin project for identity pools)
- A Google Cloud service account that has the BigQuery roles your use case needs (for example, running queries and reading tables in specific datasets)
- Your Lovable workspace ID (you will need it for the OIDC audience in Google Cloud)
- Lovable workspace admin or owner role
Step 1: Configure Workload Identity Federation in Google Cloud
You need a Workload Identity Pool and an OIDC provider that trusts Google-issued ID tokens whose audience is Lovable’s connector gateway for your workspace.- In the Google Cloud console, open IAM & Admin → Workload Identity Federation and create a Workload Identity Pool (or use an existing one).
- Add an OIDC provider to the pool with:
- Issuer URL:
https://accounts.google.com - Allowed audiences:
https://connector-gateway.lovable.dev/workspaces/<WORKSPACE_ID>— replace<WORKSPACE_ID>with your Lovable workspace ID (the same value Lovable uses for your workspace in URLs and settings).
- Issuer URL:
- Allow the pool to impersonate your BigQuery service account: Grant
roles/iam.workloadIdentityUser(or the appropriate role for your organization’s policy) so principals from this pool can impersonate the service account that will call BigQuery. Follow Google’s documentation for binding workload identity pool principals to a service account. - Copy the Workload Identity Provider resource name. It looks like:
//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
This string is the WIF audience value Lovable expects.
Step 2: Connect BigQuery in Lovable
- Go to Settings → Connectors → Shared connectors and select BigQuery.
- Click Add connection.
- In Display name, enter a clear name (for example
BigQuery ProductionorAnalytics read-only). - In WIF audience, paste the Workload Identity Provider resource name from Google Cloud (the full
//iam.googleapis.com/projects/.../providers/...string). - In Service account email, enter the service account to impersonate for BigQuery access (for example
bq-reader@your-project.iam.gserviceaccount.com). - Complete the flow to create or verify the connection. Lovable validates the federation setup through the gateway.
Cost and safety practices
BigQuery charges for data scanned by queries (and other usage). When implementing features in chat, prefer patterns that:- Use
maximumBytesBilled(or equivalent) on query jobs so large scans fail before running when they would exceed your limit. - Filter partitioned tables on the partition column, avoid
SELECT *during exploration, and useLIMITwhile iterating. - Use INFORMATION_SCHEMA and metadata APIs to discover schemas and partitions before heavy scans.
Limitations
- Per-user Google login is not what this connector provides: you configure one federated identity and service account per connection for the workspace (not each end user’s Google account).
- Gateway limits apply as described in Gateway-based connectors.
- IAM and dataset access are entirely under your control in GCP; Lovable cannot grant access to tables your service account is not permitted to read.
How to unlink projects from a connection
Editors and above can remove specific projects from a connection without deleting the connection entirely. The connection will remain available for other projects. To unlink projects:
When unlinked, those projects will no longer have access to through this connection. If a project needs again, you can link it to any available connection.