Authenticating requests to the Google BigQuery API

The BigQuery API requires all requests to be authenticated as a user or a service account. This guide describes how to perform authentication in various application scenarios.

  1. Application Default Credentials
  2. Authenticating as an end user

Application Default Credentials

Application Default Credentials should be used in most cases. It allows your application to use its own default service account credentials to access BigQuery tables as its own identity. Unless your application accesses BigQuery tables only available to its end user, or requires queries be billed to the end user's Cloud Platform project rather than the application's project, you should use Application Default Credentials

Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, including code samples, see Google Cloud Platform Auth Guide.

The following code sample demonstrates authenticating BigQuery API Clients using Application Default Credentials:

Java

private static Bigquery createAuthorizedClient() throws IOException {
  // Create the credential
  HttpTransport transport = new NetHttpTransport();
  JsonFactory jsonFactory = new JacksonFactory();
  GoogleCredential credential = GoogleCredential.getApplicationDefault(transport, jsonFactory);

  // Depending on the environment that provides the default credentials (e.g. Compute Engine, App
  // Engine), the credentials may require us to specify the scopes we need explicitly.
  // Check for this case, and inject the BigQuery scope if required.
  if (credential.createScopedRequired()) {
    Collection<String> bigqueryScopes = BigqueryScopes.all();
    credential = credential.createScoped(bigqueryScopes);
  }

  return new Bigquery.Builder(transport, jsonFactory, credential)
      .setApplicationName("BigQuery Samples")
      .build();
}

Python

# Grab the application's default credentials from the environment.
credentials = GoogleCredentials.get_application_default()
# Construct the service object for interacting with the BigQuery API.
bigquery_service = build('bigquery', 'v2', credentials=credentials)

C#

public BigqueryService CreateAuthorizedClient()
{
    GoogleCredential credential =
        GoogleCredential.GetApplicationDefaultAsync().Result;
    // Inject the Bigquery scope if required.
    if (credential.IsCreateScopedRequired)
    {
        credential = credential.CreateScoped(new[]
        {
            BigqueryService.Scope.Bigquery
        });
    }
    return new BigqueryService(new BaseClientService.Initializer()
    {
        HttpClientInitializer = credential,
        ApplicationName = "DotNet Bigquery Samples",
    });
}

PHP

function createAuthorizedClient()
{
    $client = new Google_Client();
    $client->useApplicationDefaultCredentials();
    $client->addScope(Google_Service_Bigquery::BIGQUERY);

    $service = new Google_Service_Bigquery($client);

    return $service;
}

Authenticating as an end user

If your application needs to access BigQuery using the end user's identity (e.g. if the table they'd like to access has an access control list specified that restricts access to your end user), you can use the OAuth 2.0 flow to obtain user credentials in various scenarios.

The credential object you obtain at the end of the flow can then be used as above in place of the application's default credentials object. See the documentation for your client library for details on how to obtain such a credentials object.

Send feedback about...

BigQuery Documentation