Google BigQuery

Establishing a Connection

Authenticating to Google BigQuery

All connections to Google BigQuery are authenticated using OAuth. The provider supports using user accounts, service accounts and GCP instance accounts for authentication.

Authenticate with a User Account

AuthScheme must be set to OAuth in all of the user account flows

Set InitiateOAuth to GETANDREFRESH.

When testing the connection, it will open a browser and Google BigQuery will request your login information. The provider will use the credentials you provide to access your Google BigQuery data. These credentials will be saved and automatically refreshed as needed.

Authenticate with a Service Account

To authenticate using a service account, you must create a new service account and have a copy of the accounts certificate.

For a JSON file, you will need to set these properties:

  • AuthScheme: Required. Set this to OAuthJWT.

  • InitiateOAuth: Required. Set this to GETANDREFRESH.

  • OAuthJWTCertType: Required. Set this to GOOGLEJSON.

  • OAuthJWTCert: Required. Set this to the path to the .json file provided by Google.

  • OAuthJWTSubject: Optional. Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

For a PFX file, you will need to set these properties instead:

  • AuthScheme: Required. Set this to OAuthJWT.

  • InitiateOAuth: Required. Set this to GETANDREFRESH.

  • OAuthJWTCertType: Required. Set this to PFXFILE.

  • OAuthJWTCert: Required. Set this to the path to the .pfx file provided by Google.

  • OAuthJWTCertPassword: Optional. Set this to the .pfx file password. In most cases this will need to be provided since Google encrypts PFX certificates.

  • OAuthJWTCertSubject: Optional. Set this only if you are using a OAuthJWTCertType which stores multiple certificates. Should not be set for PFX certificates generated by Google.

  • OAuthJWTIssuer: Required. Set this to the email address of the service account. This address will usually include the domain iam.gserviceaccount.com.

  • OAuthJWTSubject: Optional. Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

If you do not already have a service account, you can create one by following the procedure in Creating a Custom OAuth App.

Authenticate with a GCP Instance Account

When running on a GCP virtual machine, the provider can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.

Last updated