# Google BigQuery

## Establishing a Connection <a href="#default" id="default"></a>

### Authenticating to Google BigQuery

All connections to Google BigQuery are authenticated using OAuth. The provider supports using user accounts, service accounts and GCP instance accounts for authentication.

#### Authenticate with a User Account

AuthScheme must be set to **OAuth** in all of the user account flows

Set InitiateOAuth to **GETANDREFRESH**.

When testing the connection, it will open a browser and Google BigQuery will request your login information. The provider will use the credentials you provide to access your Google BigQuery data. These credentials will be saved and automatically refreshed as needed.

#### Authenticate with a Service Account

To authenticate using a service account, you must create a new service account and have a copy of the accounts certificate.

For a JSON file, you will need to set these properties:

* AuthScheme: Required. Set this to **OAuthJWT**.
* InitiateOAuth: Required. Set this to **GETANDREFRESH**.
* OAuthJWTCertType: Required. Set this to **GOOGLEJSON**.
* OAuthJWTCert: Required. Set this to the path to the .json file provided by Google.
* OAuthJWTSubject: Optional. Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

For a PFX file, you will need to set these properties instead:

* AuthScheme: Required. Set this to **OAuthJWT**.
* InitiateOAuth: Required. Set this to **GETANDREFRESH**.
* OAuthJWTCertType: Required. Set this to **PFXFILE**.
* OAuthJWTCert: Required. Set this to the path to the .pfx file provided by Google.
* OAuthJWTCertPassword: Optional. Set this to the .pfx file password. In most cases this will need to be provided since Google encrypts PFX certificates.
* OAuthJWTCertSubject: Optional. Set this only if you are using a OAuthJWTCertType which stores multiple certificates. Should not be set for PFX certificates generated by Google.
* OAuthJWTIssuer: Required. Set this to the email address of the service account. This address will usually include the domain **iam.gserviceaccount.com**.
* OAuthJWTSubject: Optional. Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

If you do not already have a service account, you can create one by following the procedure in [Creating a Custom OAuth App](https://cdn.cdata.com/help/DBH/ado/pg_oauthcustomappcreate.htm).

#### Authenticate with a GCP Instance Account

When running on a GCP virtual machine, the provider can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to **GCPInstanceAccount**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.appstrategy.com/apprules-r-documentation/platform/platform-features/system-settings/data-sources/connection-settings/data-warehouse/googlebigquery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.