Unable to connect to Bigquery Dataset


We are using free version of Metabase [v-0.40.1]. We are running Metabase Docker container on a GCP VM with default database[H2].
In our GCP Organization we have two projects - network-project & data-project. We have all network related activities defined in network-project [No internet access, Only internal IPs enabled, no external IPs etc.]

We have a jump box [VM within data-project] through which we are accessing Metabase UI. When we go for configuring Metabase to access Bigquery within the same project. It gives us time-out error and doesnt return any result.
On the same VM - we are able to access Bigquery using "bq command" line tool but yes "REST API" based call is throwing error [Access Denied].

When we looked into the Metabase code [src], we are not able to figure out how actually Metabase is trying to access bigquery - does it also use REST API for this purpose? If yes can you please provide us the final URL which it creates ? is it similar to http://www.googleapis.com/bigquery/v2/projects/$PROJECT/queries
If yes then how does it authorize this interaction? is it using oAuth2? [like - https://www.googleapis.com/oauth2/v2/tokeninfo].

Just to mention here the service account which we are using is having all required permissions which are needed for accessing bigquery from Metabase UI. [as suggested by metabase documentation]

Hi @kumar-praveen
I guess you're working with this person? Timeout error while adding Bigquery database

Metabase is using REST API for the BigQuery driver: https://github.com/metabase/metabase/tree/master/modules/drivers/bigquery
There's work being done to rewrite the driver: https://github.com/metabase/metabase/pull/16746

You should not use H2 as the Metabase application database.

Thanks for your quick response. Actually, we are whitelisting URLs which are needed for this communication, hence could you please let me know if there is any specific URL which we should whitelist here. So far we have assumed that http://www.googleapis.com/ should be whitelisted. Do you think we should give full URL or something which we are missing?

@kumar-praveen I would recommend that you log all URLs being blocked for a while, so you can make sure that allow all URLs required.
I don't know all the URLs used - you would have to look in the driver and it's parent dependencies.