Authenticating With a Service or User Account

The Google BigQuery API authorizes all requests using an OAuth 2.0 access token. To get an access token, authenticate as a user or a service account. This guide describes how to perform authentication in various application scenarios.

Application Default Credentials

Application Default Credentials allow your application to use its own default service account credentials to access tables as its own identity.

Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, including code samples, see Google Cloud Platform Auth Guide.

The following code sample demonstrates authenticating BigQuery Client Libraries using Application Default Credentials:

C#

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

using System;
using Google.Cloud.BigQuery.V2;

namespace GoogleCloudSamples
{
    class Program
    {
        static void Main(string[] args)
        {
            // Your Google Cloud Platform project ID
            string projectId = "YOUR_PROJECT_ID";

            // Instantiates a client
            BigQueryClient client = BigQueryClient.Create(projectId);

            // The id for the new dataset
            string datasetId = "my_new_dataset";

            // Creates the dataset
            BigQueryDataset dataset = client.CreateDataset(datasetId);

            Console.WriteLine($"Dataset {dataset.FullyQualifiedId} created.");
        }
    }
}

Go

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

// Sample bigquery-quickstart creates a Google BigQuery dataset.
package main

import (
	"fmt"
	"log"

	// Imports the Google Cloud BigQuery client package.
	"cloud.google.com/go/bigquery"
	"golang.org/x/net/context"
)

func main() {
	ctx := context.Background()

	// Sets your Google Cloud Platform project ID.
	projectID := "YOUR_PROJECT_ID"

	// Creates a client.
	client, err := bigquery.NewClient(ctx, projectID)
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}

	// Sets the name for the new dataset.
	datasetName := "my_new_dataset"

	// Creates a Dataset instance.
	dataset := client.Dataset(datasetName)

	// Creates the new BigQuery dataset.
	if err := dataset.Create(ctx); err != nil {
		log.Fatalf("Failed to create dataset: %v", err)
	}

	fmt.Printf("Dataset created\n")
}

Java

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

// Imports the Google Cloud client library
import com.google.cloud.bigquery.BigQuery;
import com.google.cloud.bigquery.BigQueryOptions;
import com.google.cloud.bigquery.Dataset;
import com.google.cloud.bigquery.DatasetInfo;

public class QuickstartSample {
  public static void main(String... args) throws Exception {
    // Instantiates a client
    BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();

    // The name for the new dataset
    String datasetName = "my_new_dataset";

    // Prepares a new dataset
    Dataset dataset = null;
    DatasetInfo datasetInfo = DatasetInfo.newBuilder(datasetName).build();

    // Creates the dataset
    dataset = bigquery.create(datasetInfo);

    System.out.printf("Dataset %s created.%n", dataset.getDatasetId().getDataset());
  }
}

Node.js

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

// Imports the Google Cloud client library
const BigQuery = require('@google-cloud/bigquery');

// Your Google Cloud Platform project ID
const projectId = 'YOUR_PROJECT_ID';

// Instantiates a client
const bigquery = BigQuery({
  projectId: projectId
});

// The name for the new dataset
const datasetName = 'my_new_dataset';

// Creates the new dataset
bigquery.createDataset(datasetName)
  .then((results) => {
    const dataset = results[0];

    console.log(`Dataset ${dataset.id} created.`);
  })
  .catch((err) => {
    console.error('ERROR:', err);
  });

PHP

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

# Includes the autoloader for libraries installed with composer
require __DIR__ . '/vendor/autoload.php';

# Imports the Google Cloud client library
use Google\Cloud\BigQuery\BigQueryClient;

# Your Google Cloud Platform project ID
$projectId = 'YOUR_PROJECT_ID';

# Instantiates a client
$bigquery = new BigQueryClient([
    'projectId' => $projectId
]);

# The name for the new dataset
$datasetName = 'my_new_dataset';

# Creates the new dataset
$dataset = $bigquery->createDataset($datasetName);

echo 'Dataset ' . $dataset->id() . ' created.';

Python

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

# Imports the Google Cloud client library
from google.cloud import bigquery

# Instantiates a client
bigquery_client = bigquery.Client()

# The name for the new dataset
dataset_name = 'my_new_dataset'

# Prepares the new dataset
dataset = bigquery_client.dataset(dataset_name)

# Creates the new dataset
dataset.create()

print('Dataset {} created.'.format(dataset.name))

Ruby

For more on installing and creating a BigQuery client, refer to BigQuery Client Libraries.

# Imports the Google Cloud client library
require "google/cloud/bigquery"

# Your Google Cloud Platform project ID
project_id = "YOUR_PROJECT_ID"

# Instantiates a client
bigquery = Google::Cloud::Bigquery.new project: project_id

# The name for the new dataset
dataset_name = "my_new_dataset"

# Creates the new dataset
dataset = bigquery.create_dataset dataset_name

puts "Dataset #{dataset.dataset_id} created."

Authenticating With a User Account

A user credential can be used to ensure the application accesses only BigQuery tables that are available to the end user. A user credential can run queries against only the end user's Cloud Platform project rather than the application's project, meaning the user is billed for queries instead of the application.

Installed Applications

Use this flow if your application is installed onto users' machines.

Before you begin

  1. Create a new Google Cloud Platform project representing your installed application.
  2. Install the BigQuery client libraries.
  3. Install additional libraries.

    Python

    Install the oauthlib integration for Google Auth.
    pip install --upgrade google-auth-oauthlib

Setting up your client credentials

  1. Go to the API credentials page in the Cloud Platform Console.
  2. Fill out the required fields on the OAuth consent screen.
  3. On the credentials page, click the Create credentials button.

    Choose OAuth client ID.

  4. Select Other as the application type, and then click Create.
  5. Download the credentials by clicking the Download JSON button.

    Download JSON

    Save the credentials file to client_secrets.json. This file must be distributed with your application.

Authenticating and Calling the API

  1. Use the client credentials to perform the OAuth 2.0 flow.

    Python

    def authenticate_and_query(project, query, launch_browser=True):
        appflow = flow.InstalledAppFlow.from_client_secrets_file(
            'client_secrets.json',
            scopes=['https://www.googleapis.com/auth/bigquery'])
    
        if launch_browser:
            appflow.run_local_server()
        else:
            appflow.run_console()
    
        run_query(appflow.credentials, project, query)
  2. Use the authenticated credentials to connect to the BigQuery API.

    Python

    def run_query(credentials, project, query):
        client = bigquery.Client(project=project, credentials=credentials)
        query_job = client.run_async_query(str(uuid.uuid4()), query)
        query_job.use_legacy_sql = False
        query_job.begin()
    
        wait_for_job(query_job)
    
        # Drain the query results by requesting a page at a time.
        query_results = query_job.results()
        page_token = None
    
        while True:
            rows, total_rows, page_token = query_results.fetch_data(
                max_results=10,
                page_token=page_token)
    
            for row in rows:
                print(row)
    
            if not page_token:
                break

When you run the sample code, it will launch a browser requesting access to the project associated with the client secrets. The resulting credentials can then be used to access the user's BigQuery resources, because the sample requested the BigQuery scope.

For more information about authenticating with user credentials in installed applications, see Using OAuth 2.0 for Installed Applications.

Other Applications

The credential object you obtain at the end of the flow can then be used as above in place of the application's default credentials object. See the documentation for your client library for details on how to obtain such a credentials object.

Send feedback about...

BigQuery Documentation