Aembit Earns Prestigious Runner-Up Spot at RSA Innovation Sandbox Contest! Watch the Announcement

Aembit Earns Two Nominations in 2024 SC Awards! Get the Full Scoop

RSAC™ Innovation Sandbox FINALIST 2024 banner
Aembit is an RSA Conference Innovation Sandbox finalist! Read the news

How to Authenticate to Google BigQuery Using OAuth 2.0 Client Credentials

Industry Insights Template 5

BigQuery, Google’s fully managed, serverless data warehouse, has become an indispensable tool for businesses seeking to analyze large datasets at lightning speed. However, managing non-human access to this tool requires secure authentication methods. 

With the proliferation of APIs across sectors, from cloud providers to data platforms and from CRM systems to financial platforms, OAuth 2.0 has emerged as a de facto standard for secure authentication. It helps to ensure that only authorized entities can access certain resources, thus safeguarding sensitive information from unauthorized use.

Yet, while OAuth 2.0 is widely recognized and utilized, the specifics of implementing it can vary significantly across different platforms and use cases. 

This post, like a previous one we wrote for Microsoft Graph, will provide a step-by-step approach to implement OAuth 2.0 for secure access to BigQuery. 

How to Authenticate to Google BigQuery using OAuth 2.0 Client Credentials

Prerequisites:

Note: This example assumes that you have a GCP Project with BigQuery enabled and data to query.

Steps:

1. Log into GCP and go to the ‘APIs & Services’ -> ‘Credentials Management’ section. This can be accessed directly by going to https://console.cloud.google.com/apis/credentials

[Make sure you are in a GCP Project which you are authorized to use. For this example, we’re using ‘My Project 62571.’]m

bigquery-overview

2. Click on the ‘Create Credentials’ button to create an OAuth 2.0 Client ID.

A screenshot of an interface offering credential creation options: API key, OAuth client ID, Service account, and a "Help me choose" feature for deciding the type of credential to use.

[The first time through, you’ll need to configure an OAuth consent screen. Select ‘Internal’ and ‘Create’ to continue.]

0Auth consent screen overview

3. Provide the app registration details as requested by GCP, for example:

a. App name: BigQuery Test

b. User support email: Your email address

c. Developer contact Email Address: Your email address

d. Click Save and Continue.

4. Provide the scopes required for Big Query access to this OAuth Client ID, for example:

a. Click ‘Add or Remove Scopes, Big Query’ (https://www.googleapis.com/auth/bigquery) should be sufficient.

b. Click ‘Save’ and ‘Continue.’

c. Verify your configuration and click on ‘Back to Dashboard.’

d. Configure the OAuth2 Client with ‘Application Type’ set to Desktop app and give it a ‘Name’ (e.g. Sample).

A screenshot of a user interface for creating an OAuth client ID with fields for application type and name, and a note that settings may take a few hours to take effect.

[GCP will generate the necessary configuration file and provide the details along with a download link. Please download the JSON, and we’ll come back to it in a moment.]

bigquery

5. Let’s now create a sample Python application that can login to GCP and execute a BigQuery query. Sample code:

6. Install the necessary GCP OAuth libraries:

pip install –upgrade google_auth_oauthlib google-cloud-bigquery

7. Please update the gcp-bigquery.py script with appropriate values for ‘GCP_OAUTH_CLIENT_JSON’ and ‘GCP_PROJECT_ID’ that match your environment configuration.

8. Run the python script: python .\gcp-bigquery.py

[This will provide a URL that can be used in a web browser to request authorization and consent for a user who is authorized for the GCP Project being used.]

[The Redirect URI (urn:ietf:wg:oauth:2.0:oob) is a Google specific URN that is used for GCP’s “Installed Apps” OIDC Flow.]

bigquery-code

Experience the Difference with Aembit

Are you using traditional OAuth 2.0 client credentials for accessing the Google Big Query? Discover how the Aembit Workload IAM Platform can transform your experience, offering a more secure, efficient, and manageable approach to non-human identity and access management.

Try us for free at aembit.io.

You might also like

How our journey began – and why securing non-human identities is personal for us and our mission.
As apps and service accounts proliferate, robust management is key to maintaining automated, scalable, and resilient IT environments.
See how we're helping you enhance serverless security with dynamic tokens, policy enforcement, and no-code support for non-human identities