Get to Know Aembit and Workload IAM: Join Our Thursday Webinar!

RSAC™ Innovation Sandbox FINALIST 2024 banner
Aembit is an RSA Conference Innovation Sandbox finalist! Read the news

How to Authenticate to Google BigQuery Using OAuth 2.0 Client Credentials

OAuth 2.0 has emerged as a de facto standard for secure authentication. Here is a step-by-step tutorial for configuring it to Google BigQuery.
Industry Insights Template 5

BigQuery, Google’s fully managed, serverless data warehouse, has become an indispensable tool for businesses seeking to analyze large datasets at lightning speed. However, managing access to this tool requires secure authentication methods. 

With the proliferation of APIs across sectors, from cloud providers to data platforms and from CRM systems to financial platforms, OAuth 2.0 has emerged as a de facto standard for secure authentication. It helps to ensure that only authorized entities can access certain resources, thus safeguarding sensitive information from unauthorized use.

Yet, while OAuth 2.0 is widely recognized and utilized, the specifics of implementing it can vary significantly across different platforms and use cases. 

This post, like a previous one we wrote for Microsoft Graph, will provide a step-by-step approach to implement OAuth 2.0 for secure access to BigQuery. 

How to Authenticate to Google BigQuery using OAuth 2.0 Client Credentials


Note: This example assumes that you have a GCP Project with BigQuery enabled and data to query.


1. Log into GCP and go to the ‘APIs & Services’ -> ‘Credentials Management’ section. This can be accessed directly by going to

[Make sure you are in a GCP Project which you are authorized to use. For this example, we’re using ‘My Project 62571.’]


2. Click on the ‘Create Credentials’ button to create an OAuth 2.0 Client ID.

A screenshot of an interface offering credential creation options: API key, OAuth client ID, Service account, and a "Help me choose" feature for deciding the type of credential to use.

[The first time through, you’ll need to configure an OAuth consent screen. Select ‘Internal’ and ‘Create’ to continue.]

0Auth consent screen overview

3. Provide the app registration details as requested by GCP, for example:

a. App name: BigQuery Test

b. User support email: Your email address

c. Developer contact Email Address: Your email address

d. Click Save and Continue.

4. Provide the scopes required for Big Query access to this OAuth Client ID, for example:

a. Click ‘Add or Remove Scopes, Big Query’ ( should be sufficient.

b. Click ‘Save’ and ‘Continue.’

c. Verify your configuration and click on ‘Back to Dashboard.’

d. Configure the OAuth2 Client with ‘Application Type’ set to Desktop app and give it a ‘Name’ (e.g. Sample).

A screenshot of a user interface for creating an OAuth client ID with fields for application type and name, and a note that settings may take a few hours to take effect.

[GCP will generate the necessary configuration file and provide the details along with a download link. Please download the JSON, and we’ll come back to it in a moment.]


5. Let’s now create a sample Python application that can login to GCP and execute a BigQuery query. Sample code:

6. Install the necessary GCP OAuth libraries:

pip install –upgrade google_auth_oauthlib google-cloud-bigquery

7. Please update the script with appropriate values for ‘GCP_OAUTH_CLIENT_JSON’ and ‘GCP_PROJECT_ID’ that match your environment configuration.

8. Run the python script: python .\

[This will provide a URL that can be used in a web browser to request authorization and consent for a user who is authorized for the GCP Project being used.]

[The Redirect URI (urn:ietf:wg:oauth:2.0:oob) is a Google specific URN that is used for GCP’s “Installed Apps” OIDC Flow.]


Experience the Difference with Aembit

Are you using traditional OAuth 2.0 client credentials for accessing the Google Big Query? Discover how the Aembit Workload IAM Platform can transform your experience, offering a more secure, efficient, and manageable approach to workload identity and access management. Try us for free at

You might also like

If this definitive list doesn't convince you to pay us a visit, learn about Workload IAM, and meet the people behind the product, nothing will.
Snowflake shines in storage and analytics, yet your success hinges on adhering to security best practices, with workload IAM acting as a crucial ally.
This attestation method is designed for on-premises setups without the availability of AWS or Azure metadata services.