# Step 2: Set Up BigQuery Authentication

Composable Audience Studio (CAS) connects to BigQuery using a **GCP service account with a JSON key**. You will create a service account, grant IAM roles, and generate a JSON key.

## GCP Step 1: Create a Service Account

1. Open the [Google Cloud Console](https://console.cloud.google.com/) > **IAM & Admin** > **Service Accounts**.
2. Click **Create Service Account**.
3. Enter a display name (e.g., `TAI-CAS-Service`).
4. Click **Create and Continue**.
5. Note the service account email address assigned (e.g., `tai-cas-service@<project_id>.iam.gserviceaccount.com`).


## GCP Step 2: Grant IAM Roles

Grant the service account the required IAM roles as described in Step 1 (BigQuery IAM Permissions section above).
Grant the service account the required IAM roles as described in [Step 1: Prepare Your BigQuery Data](/ja/products/customer-data-platform/composable-cdp/bigquery/prepare-bigquery-data#bigquery-iam-permissions).
**Minimum required:**

- `roles/bigquery.jobUser` at project level
- `roles/bigquery.dataEditor` at dataset level


## GCP Step 3: Generate a JSON Key

1. In the Service Account details page, go to the **Keys** tab.
2. Click **Add Key** > **Create new key**.
3. Choose **JSON** format > **Create**.
4. The browser downloads the `.json` key file automatically.


Keep the JSON file secure
This file grants full access to the service account. Store it safely and do not share it.

## GCP Step 4: Allow Treasure AI Server IPs to Access BigQuery (If Necessary)

If your GCP project uses VPC Service Controls or organization policies that restrict API access by IP, add Treasure AI's export IP addresses to the allowed list.

Note
For the list of Treasure AI IP addresses to add, see [Static IP Addresses for Integrations and Result Workers](/apis/endpoints/ip-addresses-integrations-result-workers). Whitelist both the Import and Export tabs.