Skip to main content
These guides walk through what Orion needs to connect to each supported data source, and how to grant that access. Most connections are configured once at the tenant level by an administrator. See Data Sources Management for where this happens in the Orion UI.

How Orion connects

A few principles apply to every connection:

Read-only

Orion only ever issues read queries (SELECT and metadata introspection). It never runs DDL, DML, or stored procedures against your systems.

Least privilege

We recommend a dedicated service user or service account scoped to just the data you want Orion to analyze.

Encrypted at rest

Any credentials you share (passwords, keys, secrets) are encrypted at rest in our database.
For private databases that aren’t publicly reachable (behind a VPC, private subnet, firewall, or VPN), allowlist Orion’s egress IPs so we can reach them. All Orion services egress through the same set of IPs, so a single allowlist entry covers everything. Your production egress IP range is provided by your Orion contact during onboarding.

Choose your data source

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/bigquery.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=a46b130617ab58d053c6732bab5a4deb

BigQuery

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/snowflake.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=cf2ea2fe9a8ad7b968b9cb88108e06f9

Snowflake

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/databricks.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=1464760ad614bd996e279e2e3de62ae7

Databricks

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/looker.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=77236b3032f004e2403d65451a1b14ba

Looker

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/postgres.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=95a4f3a47c74de4f850f93f7e2ec46ba

PostgreSQL

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/mysql.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=c5a353caacfcc084c24a59f358423d8d

MySQL

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/redshift.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=c2fbf2dbe511ebdf2ff0ddec252cd0b2

Redshift

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/fabric.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=e8751cbb6588dd65821cd91c66825760

Microsoft Fabric

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/deltalake.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=0d2081251162906da69305569bad1391

Delta Lake

https://mintcdn.com/gravity-8db392ea/rwMJmY8tXTWfxg-1/images/data-sources/dbt.svg?fit=max&auto=format&n=rwMJmY8tXTWfxg-1&q=85&s=40da0de6b9b9d3f9c50371ff16c4bff7

dbt

Power BI, Shopify, and Google Analytics are also supported. Contact your Orion contact for details.

BigQuery

Orion connects to BigQuery using service account impersonation. You create a service account in your project and grant Orion’s service account permission to impersonate it. No credentials or keys are ever shared.
For every Google Cloud Console step below, make sure you are in the correct GCP project, the same project as your BigQuery instance.
1

Create a service account

  1. Go to Google Cloud Console → IAM & Admin → Service Accounts
  2. Click Create Service Account
  3. Name: external-orion-data-access (or your preferred naming)
  4. Description: “Service account for Orion data access”
  5. Click Create and Continue
  6. Skip role assignment for now → click Done
We’ll refer to this as the BigQuery Service Account going forward.
2

Enable service account impersonation

Before this step, the Orion team will provide you with a service account email address (the Orion Service Account) associated with your Orion instance.
  1. Navigate to IAM & Admin → Service Accounts
  2. Find the BigQuery Service Account you just created
  3. Select the Principals With Access tab and click Grant Access
  4. Add principal: the Orion Service Account email you received from Orion
  5. Assign role: Service Account Token Creator
  6. Click Save
3

Create a scratch dataset and grant edit access

  1. Navigate to BigQuery
  2. Create a new dataset, a dedicated dataset reserved for Orion’s use (we recommend a descriptive name like orion_scratch)
  3. Grant the BigQuery Service Account Data Editor access to this dataset
The scratch dataset must be in the same region (or multi-region) as the datasets you wish to query via Orion.
Orion uses this dataset to efficiently stream query results to a binary format optimized for quick analysis. Temp tables created here are automatically cleaned up.
4

Grant table-level access

In BigQuery, for each dataset or table you want to share:
  1. Select the dataset → click Share Dataset
  2. Add the BigQuery Service Account email
  3. Assign role: BigQuery Data Viewer
  4. Click Add, then Done
5

Grant project-level access

  1. Navigate to IAM
  2. Locate your BigQuery Service Account and click Edit
  3. Assign the roles: BigQuery Job User, BigQuery Connection User, and BigQuery Read Session User
  4. Click Save
6

Share connection information

Provide us with your GCP Project ID, the BigQuery Service Account email, the scratch dataset you created, and the GCP location of these datasets (defaults to the US multi-region on default settings). No credentials need to be shared.
↑ Back to all data sources

Snowflake

Orion connects to Snowflake using key pair authentication. You create a dedicated service user, grant it read-only access to the data you want analyzed, and associate a public key with it. Orion holds the matching private key to authenticate. Connection information
FieldDescription
AccountYour Snowflake account identifier (e.g. orgname-account_nameorgname-account_name.snowflakecomputing.com)
User / Role / Warehouse / Database / SchemaStandard connection context values used by Snowflake clients and drivers
Required grants (on the role you configure for the connection) 
GRANT USAGE ON WAREHOUSE <w> TO ROLE <r>;
GRANT USAGE ON DATABASE <db> TO ROLE <r>;
GRANT USAGE ON SCHEMA <db>.<schema> TO ROLE <r>;
GRANT SELECT ON ALL TABLES IN SCHEMA <db>.<schema> TO ROLE <r>;
Key pair authentication setup
1

Generate an encrypted key pair

Generate an encrypted private-public key pair (RSA 2048 or 3072 recommended).
# Encrypted private key (an optional passphrase is recommended)
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8
# Associated public key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
The private key stays on your system. The public key (rsa_key.pub) is added to the Snowflake user.
2

Create (or reuse) a service user

CREATE USER orion_svc
  DEFAULT_ROLE = <r>
  MUST_CHANGE_PASSWORD = FALSE;
Assign the relevant role with the grants listed above.
3

Associate the public key with the service user

ALTER USER orion_svc SET RSA_PUBLIC_KEY='<contents of rsa_key.pub>';
What we store: Orion uses the private key to authenticate connections. We store the encrypted key and passphrases in our database, and we encrypt your encrypted key. See the Snowflake key pair documentation. ↑ Back to all data sources

Databricks

Orion connects to Databricks using a dedicated Service Principal and a SQL Warehouse for compute. We strongly recommend OAuth M2M authentication.
1

Create a Service Principal

We recommend a dedicated Service Principal for Orion. Follow the official documentation to create one.
2

Create credentials

OAuth M2M (recommended)

Follow the official documentation to create a Client ID and Client Secret. Copy the Client Secret immediately; you only get one chance to see it.

Personal Access Token (legacy)

Follow the official documentation. PATs are legacy and being phased out by Databricks, so prefer OAuth M2M.
3

Create or identify a SQL Warehouse

SQL Warehouses are the compute resources used to execute queries. Either identify an existing warehouse, or create a dedicated one following the official documentation. Make note of the warehouse’s HTTP Path.
4

Grant access

Grant the Service Principal read access to all catalogs, schemas, and tables you want Orion to analyze, plus access to the SQL Warehouse used to execute queries.
5

Configure the connection in Orion

In the Orion UI, create a Databricks connection, give it a name and optional description, then fill in:
FieldDescriptionExample
HostThe host URL for your Databricksabc-123.cloud.databricks.com
Warehouse HTTP PathThe HTTP path to your chosen SQL Warehouse/sql/1.0/warehouses/abc123
Client ID & Client SecretOAuth M2M credentials
Optionally include a Databricks Catalog to limit the scope of data a given connection can access.
↑ Back to all data sources

Looker

Orion connects to Looker using a dedicated user account with analyst-level (read-only) permissions plus API credentials. You’ll also grant the account access to the Spaces (folders) that hold your dashboards and Looks. Standard deployment: We request a Looker account for the email orion@gravity.foundation, with permissions matching those of a typical analyst at your organization. Orion only needs read access. Required permissions (in addition to analyst-level access)
  • Models (docs): can be scoped to necessary models via model sets; includes the explore permission
  • see_system_activity, see_lookml, see_sql
  • see_user_dashboards (or provide PDFs of sample dashboards instead)
  • create_custom_fields: enables building custom fields via + Add
  • login_special_email: only if using non-email (third-party) authentication
Content access (Spaces / folders) Model permissions and content access are configured separately in Looker. The Orion user also needs view access to the Spaces where your dashboards and Looks are stored:
1

Open the folder

Navigate to the folder(s) containing your key dashboards.
2

Manage access

Click Manage Access on the folder.
3

Add the Orion user

Add the Orion user (or a group it belongs to) with View access.
Without this step, the Orion user will have model and query permissions but won’t be able to see any saved dashboard content. See Managing access to folders.
API credentials: Generate API keys for orion@gravity.foundation (docs) and share the client_id and client_secret with us. Third-party authentication: If you use Okta or another third-party provider, add the login_special_email permission. Navigate to the Roles section of the Admin panel (https://[organization].cloud.looker.com/admin/roles) and, if you don’t already have external users, create a new permission set. See the Looker documentation. ↑ Back to all data sources

PostgreSQL

Orion connects to PostgreSQL with username/password authentication. Create a dedicated read-only user and grant it SELECT on the schemas and tables you want analyzed. Connection information
FieldDescription
HostPostgreSQL server hostname / IP address
PortPostgreSQL server port (default: 5432)
DatabaseTarget database name
UserPostgreSQL username for authentication
PasswordUser password for authentication
SSL Modedisable / allow / prefer / require / verify-ca / verify-full
Required grants 
GRANT CONNECT ON DATABASE <db> TO <user>;
GRANT USAGE ON SCHEMA <schema> TO <user>;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO <user>;
-- So future tables are visible automatically:
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema> GRANT SELECT ON TABLES TO <user>;
Setup
1

Create the service user

CREATE USER orion_svc WITH PASSWORD '<secure_password>';
2

Configure PostgreSQL for connections

In postgresql.conf: set listen_addresses = '*' so PostgreSQL accepts connections, and ssl = on for SSL connections.
3

Configure client authentication

In pg_hba.conf:
host    <database> orion_svc <ip_range> md5
hostssl <database> orion_svc <ip_range> md5   # SSL-only
4

Restart and grant

Restart the PostgreSQL service, then assign the grants listed above to the service user.
What we store: username/password authentication; we encrypt your plain-text password in our database. See the PostgreSQL docs on connection parameters, access control, and client authentication. ↑ Back to all data sources

MySQL

Orion connects to MySQL with username/password authentication. Create a dedicated user and grant it read-only access to the target database. Connection information
FieldDescription
HostMySQL server hostname / IP address
PortMySQL server port (default: 3306)
DatabaseTarget database (schema) name
UserMySQL username for authentication
PasswordUser password for authentication
SSL Modedisable / preferred / required / verify-ca / verify-identity
SSL CA Certificate (optional)PEM-encoded CA bundle, required for verify-ca / verify-identity when the server certificate is not signed by a publicly trusted CA
In MySQL, a “database” and a “schema” are the same thing. The Database value above is the schema Orion will read from.
Required grants 
-- Read-only access to all current and future tables/views in <db>
GRANT SELECT, SHOW VIEW ON <db>.* TO '<user>'@'<host_or_%>';
FLUSH PRIVILEGES;
Setup
1

Create the service user

CREATE USER 'orion_svc'@'<host_or_%>' IDENTIFIED BY '<secure_password>';
Replace <host_or_%> with the IP/CIDR Orion will connect from (e.g. 'orion_svc'@'10.0.0.0/8'), or use '%' to allow any source.
2

Configure MySQL for connections

Ensure MySQL accepts remote connections in my.cnf (or mysqld.cnf):
[mysqld]
bind-address = 0.0.0.0
# For SSL:
require_secure_transport = ON
ssl-ca   = /path/to/ca.pem
ssl-cert = /path/to/server-cert.pem
ssl-key  = /path/to/server-key.pem
Optionally require SSL for this user only: ALTER USER 'orion_svc'@'<host_or_%>' REQUIRE SSL;
3

Restart and grant

Restart the MySQL service, then assign the grants listed above to the service user.
What we store: username/password authentication; we encrypt your plain-text password at rest. If you provide an SSL CA certificate, we encrypt the PEM contents alongside it. See the MySQL docs on access control and encrypted connections. ↑ Back to all data sources

Redshift

Orion connects to Amazon Redshift (cluster or Serverless workgroup) over the standard PostgreSQL wire protocol (port 5439) using username/password authentication. Orion only ever issues read (SELECT) queries. Connection details
FieldDescription
HostYour cluster endpoint, e.g. my-cluster.abc123xyz.us-east-1.redshift.amazonaws.com. For Serverless: my-workgroup.123456789012.us-east-1.redshift-serverless.amazonaws.com
PortDefaults to 5439
DatabaseThe database name to connect to, e.g. analytics or dev
UserThe read-only user created for Orion (we suggest orion)
PasswordThe password for that user
SSL Moderequire (default; Redshift clusters always terminate TLS)
Database user & permissions
On Redshift, a user can only see a table in information_schema if it has been granted access, so these grants also determine what Orion can discover.
CREATE USER orion PASSWORD '<choose-a-strong-password>';
-- For each schema you want Orion to access:
GRANT USAGE ON SCHEMA <schema_name> TO orion;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema_name> TO orion;
-- So future tables are visible automatically:
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema_name> GRANT SELECT ON TABLES TO orion;
Orion does not need INSERT / UPDATE / DELETE / CREATE, so please do not grant write access.
Network access: Orion connects from our infrastructure, so the endpoint must be reachable on the Redshift port. Allow inbound traffic on port 5439 from Orion’s egress IP range in the cluster’s VPC security group. See the docs on managing Redshift security groups. ↑ Back to all data sources

Microsoft Fabric

Orion connects to a Microsoft Fabric Warehouse using a Service Principal (App Registration) in your Microsoft Entra ID tenant. Orion connects over TDS (the SQL endpoint) using ODBC Driver 18 with Service Principal authentication, with no interactive login required. Azure App Registration
  1. Create an App Registration in your Entra ID tenant (docs)
  2. Note the Application (client) ID and Directory (tenant) ID
  3. Create a Client Secret under Certificates & secrets (docs) and note the secret value (not the Secret ID). Recommended expiry: 12 months
Fabric Admin Portal settings (must be enabled by a Fabric Administrator)
  1. Navigate to Fabric Admin Portal → Tenant settings → Developer settings
  2. Enable Service principals can use Fabric APIs
  3. Scope to a security group containing the Orion Service Principal (recommended), or enable for the entire organization
Workspace access: Open the workspace containing your Warehouse, click Manage access → Add people or groups, search for the App Registration name, and assign the Viewer role (minimum). Contributor is recommended for full metadata access. Warehouse SQL endpoint: Open the Warehouse in Fabric, click Settings → SQL connection string. The hostname looks like xxxxxxxx.datawarehouse.fabric.microsoft.com. Note the Database name (the Warehouse name). Credentials summary
FieldDescriptionExample
Server HostnameSQL connection string from Warehouse settingsxyz.datawarehouse.fabric.microsoft.com
DatabaseWarehouse namemy-warehouse
Tenant IDEntra ID Directory (tenant) IDxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client IDApp Registration Application (client) IDxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client SecretApp Registration client secret value(sensitive; share securely)
Orion uses read-only SQL (SELECT only) to discover your schema via INFORMATION_SCHEMA, run agent-generated queries, and stream results into its analysis pipeline. It never executes DDL, DML, or stored procedures. If you use dbt with Fabric, Orion can enrich metadata with dbt models and lineage; see dbt.
↑ Back to all data sources

Delta Lake

Orion connects to Delta Lake tables on Azure Data Lake Storage Gen2 (abfss://) or Google Cloud Storage (gs://). Orion reads the Delta table directly via its transaction log. There is no warehouse, cluster, or notebook to provision. You provide two things: a Table URI pointing at a Delta table folder (or a parent folder containing many Delta tables), and credentials with read access to that location.
Orion only performs read-only scans against your storage account / bucket: no writes, no vacuums, no schema changes.
Storage account access
  • The Table URI looks like abfss://<container>@<storage-account>.dfs.core.windows.net/<path>
  • <path> can point to a single Delta table folder (containing a _delta_log/ subdirectory) or a parent folder; in the parent case, Orion exposes every Delta table found underneath
  • Confirm hierarchical namespace is enabled on the storage account (required for abfss://)
Credentials (pick one)

SAS token (preferred)

Read-only and time-bounded (docs). Scope to the container, permissions read + list (sp=rl), expiry 90 days or longer. Send the token query string (with or without a leading ?).

Account key

Read/write, full access, only if SAS is not viable. Either the raw account key, or the full connection string.
What you send us: Table URI (full abfss://... string), storage account name (required for SAS tokens), and one of SAS token or account key.
Parent-folder mode: point the Table URI at a parent directory (e.g. abfss://.../silver/) and Orion discovers every Delta table underneath on schema sync. Partition columns need no setup; Orion reads them from the Delta log for query pruning automatically.
↑ Back to all data sources

dbt

If you use dbt, Orion can enrich an existing warehouse connection with your dbt model descriptions and lineage. You connect Orion to your dbt project’s GitHub repository with a read-only fine-grained access token.
1

Create a GitHub Personal Access Token

  1. Navigate to Settings → Developer Settings → Personal access tokens → Fine-grained tokens
  2. Click Generate new token
  3. Set your organization as the resource owner (if required)
  4. Configure permissions: Contents → Read access (Metadata is auto-added)
  5. Under Repository access, select Only select repositories and add your dbt project repo only
  6. Click Generate token, then copy and save it immediately; it won’t be shown again
2

Configure the Orion connection

  1. Go to https://[your-company].runorion.com/configuration
  2. Navigate to Data Sources
  3. Click the 3-dot menu on your data source tile, then Configure → Edit
  4. Click Add dbt project for enhanced metadata
  5. Enter the Repository URL (your dbt project’s GitHub URL) and Personal Access Token
  6. Click Save changes
Make sure there’s no trailing slash at the end of the Repository URL.
Standard dbt projects only require these two fields, Repository URL and Personal Access Token. Additional fields are optional.
↑ Back to all data sources