Authenticating With a User Account for Installed Applications

This guide explains how to authenticate using user accounts for access to the Google BigQuery API when your application is installed onto users' machines.

A user credential can be used to ensure the application accesses only BigQuery tables that are available to the end user. A user credential can run queries against only the end user's Cloud Platform project rather than the application's project, meaning the user is billed for queries instead of the application.

Before you begin

  1. Create a new Google Cloud Platform project representing your installed application.
  2. Install the BigQuery client libraries.
  3. Install additional libraries.

    Python

    Install the oauthlib integration for Google Auth.
    pip install --upgrade google-auth-oauthlib

Setting up your client credentials

  1. Go to the API credentials page in the Cloud Platform Console.
  2. Fill out the required fields on the OAuth consent screen.
  3. On the credentials page, click the Create credentials button.

    Choose OAuth client ID.

  4. Select Other as the application type, and then click Create.
  5. Download the credentials by clicking the Download JSON button.

    Download JSON

    Save the credentials file to client_secrets.json. This file must be distributed with your application.

Authenticating and calling the API

  1. Use the client credentials to perform the OAuth 2.0 flow.

    Python

    def authenticate_and_query(project, query, launch_browser=True):
        appflow = flow.InstalledAppFlow.from_client_secrets_file(
            'client_secrets.json',
            scopes=['https://www.googleapis.com/auth/bigquery'])
    
        if launch_browser:
            appflow.run_local_server()
        else:
            appflow.run_console()
    
        run_query(appflow.credentials, project, query)
  2. Use the authenticated credentials to connect to the BigQuery API.

    Python

    def run_query(credentials, project, query):
        client = bigquery.Client(project=project, credentials=credentials)
        query_job = client.run_async_query(str(uuid.uuid4()), query)
        query_job.use_legacy_sql = False
        query_job.begin()
    
        wait_for_job(query_job)
    
        query_results = query_job.results()
        rows = query_results.fetch_data(max_results=10)
    
        for row in rows:
            print(row)

When you run the sample code, it will launch a browser requesting access to the project associated with the client secrets. The resulting credentials can then be used to access the user's BigQuery resources, because the sample requested the BigQuery scope.

What's next

  1. Learn about other ways to authenticate your application to access the BigQuery API.
  2. Learn about authentication with end user credentials for all Google Cloud Platform APIs.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...