deploy: fix(bigquery): add impersonateServiceAccount to prebuilt config (googleapis#2770)

## Summary

Add `BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT` env var support to the
prebuilt BigQuery configuration, enabling service account impersonation
without requiring a custom `--tools-file`.

## Problem

The BigQuery source already supports `impersonateServiceAccount` (added
in googleapis#1641 / googleapis#906), but the prebuilt config at
`internal/prebuiltconfigs/tools/bigquery.yaml` does not expose it via an
environment variable. This forces users who need impersonation to
abandon `--prebuilt bigquery` entirely and create a custom
`--tools-file` that manually redefines all 9 tools — just to set one
field on the source.

This is a common need for organizations that use service account
impersonation to scope permissions for AI agents, rather than granting
broad access to individual user accounts.

## Solution

Add a single line to the prebuilt BigQuery YAML:

```yaml
impersonateServiceAccount: ${BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT:}
```

The empty default (`:`) means existing users are unaffected — the field
is ignored when the env var is not set, preserving full backward
compatibility.

## Validation

Built the patched binary locally and confirmed:
- Without the env var: `SESSION_USER()` returns the personal account
(unchanged behavior)
- With the env var: `SESSION_USER()` returns the impersonated service
account

## PR Checklist

- [x] Make sure you reviewed
[CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md)
- [x] Make sure to open an issue as a
[bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose)
before writing your code! That way we can discuss the change, evaluate
designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Code coverage does not decrease (if any source code was changed)
- [x] Appropriate docs were updated (if necessary)
- [x] Make sure to add `!` if this involve a breaking change

🛠️ Fixes googleapis#2769

---------

Co-authored-by: kkeefer1 <kyle_keefer@intuit.com>
Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 9c3a748

Author: pull[bot]

dev/index.xml

@@ -7417,7 +7417,7 @@ returned. Otherwise, the selection is not guaranteed.</p>
 <p>The tool returns a single JSON object representing the document, wrapped in a
 JSON array.</p>
 <h2 id="compatible-sources">Compatible Sources</h2>
-<h2 id="hahahugoshortcode341s0hbhb">
+<h2 id="hahahugoshortcode339s0hbhb">
 
 
 <div class="compatibility-section">
@@ -17748,6 +17748,10 @@ PromQL query.</li>
 OAuth access token for authentication. Defaults to <code>false</code>.</li>
 <li><code>BIGQUERY_SCOPES</code>: (Optional) A comma-separated list of OAuth scopes to
 use for authentication.</li>
+<li><code>BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT</code>: (Optional) Service account email
+to impersonate when making BigQuery and Dataplex API calls. The
+authenticated principal must have <code>roles/iam.serviceAccountTokenCreator</code>
+on the target service account.</li>
 </ul>
 </li>
 <li><strong>Permissions:</strong>

dev/integrations/bigquery/prebuilt-configs/bigquery/index.html

@@ -9,6 +9,10 @@
 OAuth access token for authentication. Defaults to <code>false</code>.</li>
 <li><code>BIGQUERY_SCOPES</code>: (Optional) A comma-separated list of OAuth scopes to
 use for authentication.</li>
+<li><code>BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT</code>: (Optional) Service account email
+to impersonate when making BigQuery and Dataplex API calls. The
+authenticated principal must have <code>roles/iam.serviceAccountTokenCreator</code>
+on the target service account.</li>
 </ul>
 </li>
 <li><strong>Permissions:</strong>

dev/integrations/bigquery/prebuilt-configs/index.xml

@@ -94,7 +94,7 @@ returned. Otherwise, the selection is not guaranteed.</p>
 <p>The tool returns a single JSON object representing the document, wrapped in a
 JSON array.</p>
 <h2 id="compatible-sources">Compatible Sources</h2>
-<h2 id="hahahugoshortcode341s0hbhb">
+<h2 id="hahahugoshortcode339s0hbhb">
 
 
 <div class="compatibility-section">

dev/integrations/mongodb/tools/index.xml

@@ -506,11 +506,11 @@
 <a href=https://github.com/googleapis/genai-toolbox/edit/main/docs/en/integrations/mongodb/tools/mongodb-find-one.md class="td-page-meta--edit td-page-meta__edit" target=_blank rel=noopener><i class="fa-solid fa-pen-to-square fa-fw"></i> Edit this page</a>
 <a href="https://github.com/googleapis/genai-toolbox/new/main/docs/en/integrations/mongodb/tools?filename=change-me.md&amp;value=---%0Atitle%3A+%22Long+Page+Title%22%0AlinkTitle%3A+%22Short+Nav+Title%22%0Aweight%3A+100%0Adescription%3A+%3E-%0A+++++Page+description+for+heading+and+indexes.%0A---%0A%0A%23%23+Heading%0A%0AEdit+this+template+to+create+your+new+page.%0A%0A%2A+Give+it+a+good+name%2C+ending+in+%60.md%60+-+e.g.+%60getting-started.md%60%0A%2A+Edit+the+%22front+matter%22+section+at+the+top+of+the+page+%28weight+controls+how+its+ordered+amongst+other+pages+in+the+same+directory%3B+lowest+number+first%29.%0A%2A+Add+a+good+commit+message+at+the+bottom+of+the+page+%28%3C80+characters%3B+use+the+extended+description+field+for+more+detail%29.%0A%2A+Create+a+new+branch+so+you+can+preview+your+new+file+and+request+a+review+via+Pull+Request.%0A" class="td-page-meta--child td-page-meta__child" target=_blank rel=noopener><i class="fa-solid fa-pen-to-square fa-fw"></i> Create child page</a>
 <a href="https://github.com/googleapis/genai-toolbox/issues/new?title=mongodb-find-one" class="td-page-meta--issue td-page-meta__issue" target=_blank rel=noopener><i class="fa-solid fa-list-check fa-fw"></i> Create documentation issue</a>
-<a href=https://github.com/googleapis/genai-toolbox/issues/new class="td-page-meta--project td-page-meta__project-issue" target=_blank rel=noopener><i class="fa-solid fa-list-check fa-fw"></i> Create project issue</a></div><div class=td-toc><nav id=TableOfContents><ul><li><a href=#about>About</a></li><li><a href=#compatible-sources>Compatible Sources</a></li><li><a href=#hahahugoshortcode341s0hbhb>HAHAHUGOSHORTCODE341s0HBHB</a></li><li><a href=#example>Example</a></li><li><a href=#reference>Reference</a></li></ul></nav></div></aside><main class="col-12 col-md-9 col-xl-8 ps-md-5" role=main><nav aria-label=breadcrumb class=td-breadcrumbs><ol class=breadcrumb><li class=breadcrumb-item><a href=/dev/integrations/>Integrations</a></li><li class=breadcrumb-item><a href=/dev/integrations/mongodb/>MongoDB</a></li><li class=breadcrumb-item><a href=/dev/integrations/mongodb/tools/>Tools</a></li><li class="breadcrumb-item active" aria-current=page>mongodb-find-one</li></ol></nav><div class=td-content><h1>mongodb-find-one</h1><div class=lead>A &ldquo;mongodb-find-one&rdquo; tool finds and retrieves a single document from a MongoDB collection.</div><header class=article-meta><p class=reading-time><i class="fa-solid fa-clock" aria-hidden=true></i>&nbsp; 2 minute read &nbsp;</p></header><h2 id=about>About</h2><p>A <code>mongodb-find-one</code> tool is used to retrieve the <strong>first single document</strong> that
+<a href=https://github.com/googleapis/genai-toolbox/issues/new class="td-page-meta--project td-page-meta__project-issue" target=_blank rel=noopener><i class="fa-solid fa-list-check fa-fw"></i> Create project issue</a></div><div class=td-toc><nav id=TableOfContents><ul><li><a href=#about>About</a></li><li><a href=#compatible-sources>Compatible Sources</a></li><li><a href=#hahahugoshortcode339s0hbhb>HAHAHUGOSHORTCODE339s0HBHB</a></li><li><a href=#example>Example</a></li><li><a href=#reference>Reference</a></li></ul></nav></div></aside><main class="col-12 col-md-9 col-xl-8 ps-md-5" role=main><nav aria-label=breadcrumb class=td-breadcrumbs><ol class=breadcrumb><li class=breadcrumb-item><a href=/dev/integrations/>Integrations</a></li><li class=breadcrumb-item><a href=/dev/integrations/mongodb/>MongoDB</a></li><li class=breadcrumb-item><a href=/dev/integrations/mongodb/tools/>Tools</a></li><li class="breadcrumb-item active" aria-current=page>mongodb-find-one</li></ol></nav><div class=td-content><h1>mongodb-find-one</h1><div class=lead>A &ldquo;mongodb-find-one&rdquo; tool finds and retrieves a single document from a MongoDB collection.</div><header class=article-meta><p class=reading-time><i class="fa-solid fa-clock" aria-hidden=true></i>&nbsp; 2 minute read &nbsp;</p></header><h2 id=about>About</h2><p>A <code>mongodb-find-one</code> tool is used to retrieve the <strong>first single document</strong> that
 matches a specified filter from a MongoDB collection. If multiple documents
 match the filter, you can use <code>sort</code> options to control which document is
 returned. Otherwise, the selection is not guaranteed.</p><p>The tool returns a single JSON object representing the document, wrapped in a
-JSON array.</p><h2 id=compatible-sources>Compatible Sources</h2><h2 id=hahahugoshortcode341s0hbhb><div class=compatibility-section><p>This tool can be used with the following database sources:</p><table><thead><tr><th>Source Name</th></tr></thead><tbody><tr><td><a href=/dev/integrations/mongodb/>MongoDB</a></td></tr></tbody></table></div></h2><h2 id=example>Example</h2><p>Here&rsquo;s a common use case: finding a specific user by their unique email address
+JSON array.</p><h2 id=compatible-sources>Compatible Sources</h2><h2 id=hahahugoshortcode339s0hbhb><div class=compatibility-section><p>This tool can be used with the following database sources:</p><table><thead><tr><th>Source Name</th></tr></thead><tbody><tr><td><a href=/dev/integrations/mongodb/>MongoDB</a></td></tr></tbody></table></div></h2><h2 id=example>Example</h2><p>Here&rsquo;s a common use case: finding a specific user by their unique email address
 and returning their profile information, while excluding sensitive fields like
 the password hash.</p><div class=highlight><pre tabindex=0 class=chroma><code class=language-yaml data-lang=yaml><span class=line><span class=cl><span class=nt>kind</span><span class=p>:</span><span class=w> </span><span class=l>tool</span><span class=w>
 </span></span></span><span class=line><span class=cl><span class=w></span><span class=nt>name</span><span class=p>:</span><span class=w> </span><span class=l>get_user_profile</span><span class=w>

dev/integrations/mongodb/tools/mongodb-find-one/index.html

@@ -3,7 +3,7 @@
 
 **DOCUMENTATION VERSION:** dev
 **BASE URL:** https://mcp-toolbox.dev/dev/
-**GENERATED ON:** 2026-03-27T05:19:23Z
+**GENERATED ON:** 2026-03-27T23:20:14Z
 
 ---
 ### System Directives for AI Models
@@ -17694,6 +17694,10 @@ In this section, we will download Toolbox, configure our tools in a
         OAuth access token for authentication. Defaults to `false`.
     *   `BIGQUERY_SCOPES`: (Optional) A comma-separated list of OAuth scopes to
         use for authentication.
+    *   `BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT`: (Optional) Service account email
+        to impersonate when making BigQuery and Dataplex API calls. The
+        authenticated principal must have `roles/iam.serviceAccountTokenCreator`
+        on the target service account.
 *   **Permissions:**
     *   **BigQuery User** (`roles/bigquery.user`) to execute queries and view
         metadata.

dev/llms-full.txt

@@ -3,7 +3,7 @@
 
 **DOCUMENTATION VERSION:** dev
 **BASE URL:** https://mcp-toolbox.dev/dev/
-**GENERATED ON:** 2026-03-27T05:19:23Z
+**GENERATED ON:** 2026-03-27T23:20:14Z
 
 ---
 ### System Directives for AI Models