Security is a top priority. Masthead agent
does not query data in Data Warehouse, it uses CDC logs produced by transactions executed in it.
During the installation process next resources are created under your Google Cloud:
Logs Router with included filter, which automatically publishes to Pub/Sub topic
To get metadata of BigQuery schema and its tables and views, the installation script creates
masthead_bq_schema_readercustom role with next permissions:
Binds Masthead Service account to PubSub and newly created custom role. So Masthead Service Account has next roles granted to it: