Authenticating With a User Account for Installed Applications

This guide explains how to authenticate using user accounts for access to the Google BigQuery API when your application is installed onto users' machines.

A user credential can be used to ensure the application accesses only BigQuery tables that are available to the end user. A user credential can run queries against only the end user's Cloud Platform project rather than the application's project, meaning the user is billed for queries instead of the application.

Before you begin

  1. Create a new Google Cloud Platform project representing your installed application.
  2. Install the BigQuery client libraries.
  3. Install additional libraries.


    Install the oauthlib integration for Google Auth.
    pip install --upgrade google-auth-oauthlib

Setting up your client credentials

Use the following button to select a project and create the required credentials.

Get Credentials

Manually creating credentials

  1. Go to the API credentials page in the Cloud Platform Console.
  2. Fill out the required fields on the OAuth consent screen.
  3. On the credentials page, click the Create credentials button.

    Choose OAuth client ID.

  4. Select Other as the application type, and then click Create.
  5. Download the credentials by clicking the Download JSON button.

    Download JSON

    Save the credentials file to client_secrets.json. This file must be distributed with your application.

Authenticating and calling the API

  1. Use the client credentials to perform the OAuth 2.0 flow.


    from google_auth_oauthlib import flow
    # TODO: Uncomment the line below to set the `launch_browser` variable.
    # launch_browser = True
    # The `launch_browser` boolean variable indicates if a local server is used
    # as the callback URL in the auth flow. A value of `True` is recommended,
    # but a local server does not work if accessing the application remotely,
    # such as over SSH or from a remote Jupyter notebook.
    appflow = flow.InstalledAppFlow.from_client_secrets_file(
    if launch_browser:
    credentials = appflow.credentials
  2. Use the authenticated credentials to connect to the BigQuery API.


    from import bigquery
    # TODO: Uncomment the line below to set the `project` variable.
    # project = 'user-project-id'
    # The `project` variable defines the project to be billed for query
    # processing. The user must have the permission on
    # this project to run a query. See:
    client = bigquery.Client(project=project, credentials=credentials)
    query_string = """SELECT name, SUM(number) as total
    FROM `bigquery-public-data.usa_names.usa_1910_current`
    WHERE name = 'William'
    GROUP BY name;
    query_job = client.query(query_string)
    # Print the results.
    for row in query_job.result():  # Wait for the job to complete.
        print("{}: {}".format(row['name'], row['total']))

When you run the sample code, it will launch a browser requesting access to the project associated with the client secrets. The resulting credentials can then be used to access the user's BigQuery resources, because the sample requested the BigQuery scope.

What's next

  1. Learn about other ways to authenticate your application to access the BigQuery API.
  2. Learn about authentication with end user credentials for all Google Cloud Platform APIs.
Czy ta strona była pomocna? Podziel się z nami swoją opinią:

Wyślij opinię na temat...

Potrzebujesz pomocy? Odwiedź naszą stronę wsparcia.