BigQuery authentication with JWT token

[pichain001]

Hi all,

I can see several ways to authenticate to BQ with key files and keys in your crate. Those do not work for us as we do not want to manage keys.

I would like to authenticate via JWT token against the BQ scope (https://bigquery.googleapis.com). Did I miss it or is there a way to use JWT tokens of SA to authenticate? Or any workaround?
Big thanks!

[debrutal]

I am not aware of any JWT token, that enables you to access bigquery. The only way i know is to impersonate a service account with the needed permissions.

Being in the gcp you can always use the APPLICATION_DEFAULT_CREDENTIALS from the running node. This then is the service account running the instance (Cloud Run, Kubernetes Node, etc.). The appropriate methode would be gcp_bigquery_client::Client::from_application_default_credentials.

This way you don't handle keys or anything, but you are bound to invoke the BQ with a node inside the gcp and the service account running your instance.

[SamuelRamond]

A bit late to answer but might be useful for other:
If you are talking about a JWT generated from oauth flow on your own (without using yup2 flow) you can simply implement your own authenticator like:

use async_trait::async_trait;
use gcp_bigquery_client::{auth::Authenticator, error::BQError, Client};

#[derive(Clone)]
pub struct GoogleBigQueryAuthenticator {
    jwt: String,
}

#[async_trait]
impl Authenticator for GoogleBigQueryAuthenticator {
    async fn access_token(&self) -> Result<String, BQError> {
        Ok(self.jwt.clone())
    }
}

then init the client like:

let client = gcp_bigquery_client::Client::from_authenticator(Arc::new(
            GoogleBigQueryAuthenticator {
                jwt,
            },
        ))
        .await?;

Note that this implementation is simplistic an lack refresh mechanism ect...