GCP BigQuery

Google BigQuery, part of Google Cloud Platform, is a data warehousing solution designed for storing, querying, and analyzing large datasets. It offers scalability, SQL-based querying, and integrations with other GCP services and third-party tools.

Below you can find the Aembit configuration required to work with the GCP BigQuery service as a Server Workload using the BigQuery REST API.

Aembit supports multiple authentication/authorization methods for BigQuery. This page describes scenarios where the Credential Provider is configured for BigQuery via:

• OAuth 2.0 Authorization Code (3LO)
• Google Workload Identity Federation

Prerequisites

Before proceeding with the configuration, ensure you have the following:

• An active Google Cloud account
• A GCP project with BigQuery enabled
• Data available for querying in BigQuery

OAuth 2.0 Authorization Code

Server Workload Configuration

1. Create a new Server Workload.

• Name - Choose a user-friendly name.

2. Configure the Service endpoint:

• Host - bigquery.googleapis.com
• Application Protocol - HTTP
• Port - 443 with TLS
• Forward to Port - 443 with TLS
• Authentication method - HTTP Authentication
• Authentication scheme - Bearer

Credential Provider Configuration

1. Sign in to the Google Cloud Console and navigate to the Credentials page. Ensure that you are working within a GCP project for which you have authorization.

2. On the Credentials dashboard, click Create Credentials located in the top left corner and select the OAuth client ID option.

3. If there is no configured Consent Screen for your project, you will see a Configure Consent Screen button on the directed page. Click the button to continue.

4. Choose User Type and click Create.

   • Provide a name for your app.
   • Choose a user support email from the dropdown menu.
   • App logo and app domain fields are optional.
   • Enter at least one email for the Developer contact information field.
   • Click Save and Continue.
   • You may skip the Scopes step by clicking Save and Continue once again.
   • In the Summary step, review the details of your app and click Back to Dashboard.

5. Navigate back to Credentials page, click Create Credentials, and select the OAuth client ID option again.

   • Choose Web Application for Application Type.
   • Provide a name for your web client.
   • Switch to the Aembit UI to create a new Credential Provider, selecting the OAuth 2.0 Authorization Code credential type. After setting up the Credential Provider, copy the auto-generated Callback URL.
   • Return to Google Cloud Console and paste the copied URL into the Authorized redirect URIs field.
   • Click Create.

6. A pop-up window will appear. Copy both the Client ID and the Client Secret. Store them for later use in the tenant configuration.

7. Edit the existing Credential Provider created in the previous steps.

• Name - Choose a user-friendly name.
• Credential Type - OAuth 2.0 Authorization Code
• Callback URL (Read-Only) - An auto-generated Callback URL from Aembit Admin.
• Client Id - Provide the Client ID copied from Google.
• Client Secret - Provide the Secret copied from Google.
• Scopes - Enter the scopes you will use for BigQuery (e.g. https://www.googleapis.com/auth/bigquery) A full list of GCP Scopes can be found at OAuth 2.0 Scopes for Google APIs.
• OAuth URL - https://accounts.google.com

Click on URL Discovery to populate the Authorization and Token URL fields, which can be left as populated.

• PKCE Required - Off
• Lifetime - 1 year (A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of Testing is issued a refresh token expiring in 7 days).
  Google does not specify a refresh token lifetime for the internal user type selected version; this value is recommended by Aembit. For more information, refer to the official Google documentation.

8. Click Save to save your changes on the Credential Provider.

9. In Aembit UI, click the Authorize button. You will be directed to a page where you can choose your Google account first. Then click Allow to complete the OAuth 2.0 Authorization Code flow. You will see a success page and will be redirected to Aembit automatically. You can also verify your flow is complete by checking the State value in the Credential Provider. After completion, it should be in a Ready state.

Caution

Once the set lifetime ends, the retrieved credential will expire and no longer be active. Aembit will notify you before this happens. Please ensure you reauthorize your credential before it expires.

Google Workload Identity Federation

Server Workload Configuration

1. Create a new Server Workload.

• Name - Choose a user-friendly name.

2. Configure the Service endpoint:

• Host - bigquery.googleapis.com
• Application Protocol - HTTP
• Port - 443 with TLS
• Forward to Port - 443 with TLS
• Authentication method - HTTP Authentication
• Authentication scheme - Bearer

Credential Provider Configuration

1. Sign in to the Google Cloud Console and navigate to Service Accounts. Ensure that you are working within a GCP project for which you have authorization.

2. On the Service Accounts dashboard, click Create Service Account located in the top left corner.

- Provide a name for your service account. The ID will be generated based on the account name, but you have the option to edit it. The description field is optional.
- Click the icon next to **Email address** to copy it and store the address for later.
- Click **Done**.

3. In the left navigation pane, select IAM to access a list of permissions for your project.

4. Click the Grant Access button in the ribbon list in the middle of the page.

5. In the opened dialog, click New Principals, start typing your service account name, and select from the search results.

6. Assign roles to your service account by clicking the dropdown icon, selecting the GCP role that best suits your project needs, and then click Save.

7. In the left navigation pane, select Workload Identity Federation. If this is your first time on this page, click Get Started; otherwise, click Create Pool.

- Specify a name for your identity pool. The ID will be generated based on the pool name, but you can edit it if needed. The description field is optional; proceed by clicking **Continue**.
- Next, add a provider to the pool. Select **OpenID Connect (OIDC)** as the provider option and specify a name for your provider. Again, the ID will be auto-generated, but you can edit it.
- For the **Issuer(URL)** field, switch to the Aembit UI to create a new Credential Provider, selecting the Google Workload Identity Federation credential type. After setting up the Credential Provider, copy the auto-generated **Issuer URL**, then paste it into the field.
- If you choose to leave the Audiences option set to Default audience, click the **Copy to clipboard icon**next to the auto-generated value and store the address for later use in the tenant configuration, then proceed by clicking **Continue**.
![Add Provider](../../../../../../assets/images/gcp_bigquery_add_provider.png)
- Specify the provider attribute of **assertion.tenant** in OIDC 1 and click **Save**.

8. To access resources, pool identities must be granted access to a service account. Within the GCP workload identity pool you just created, click the Grant Access button located in the top ribbon list.

- In the opened dialog, choose **Grant access using Service Account impersonation** option.
- Then, choose the **Service Account** that you created from the dropdown menu.
- For **Attribute name**, choose **subject** from dropdown menu.
- For **Attribute value**, provide your Aembit Tenant ID. You can find your tenant ID from the URL you use. For example, if the URL is `https://xyz.aembit.io`, then `xyz` is your tenant ID.
- Proceed with clicking to **Save**.
![Grant Access to Service Account in Pool Identity](../../../../../../assets/images/gcp_bigquery_grant_access_pool_identity.png)

9. Edit the existing Credential Provider created in the previous steps.

• Name - Choose a user-friendly name.
• Credential Type - Google Workload Identity Federation
• OIDC Issuer URL (Read-Only) - An auto-generated OpenID Connect (OIDC) Issuer URL from Aembit Admin.
• Audience - Provide the audience value for the provider. The value should match either: Default - Full canonical resource name of the Workload Identity Pool Provider (used if “Default audience” was chosen during setup). Allowed Audiences - A value included in the configured allowed audiences list, if defined.
• Service Account Email - Provide the service account email that was previously copied from Google Cloud Console during service account creation. (e.g., service-account-name@project-id.iam.gserviceaccount.com)
• Lifetime - Specify the duration for which the credentials will remain valid.

Caution

If the default audience was chosen during provider creation, provide the value previously copied from Google Cloud Console, the part after the prefix (e.g., //iam.googleapis…).

Client Workload Configuration

Aembit now handles the credentials required to access the Server Workload, eliminating the need for you to manage them directly. You can safely remove any previously used credentials from the Client Workload.

If you access the Server Workload through an SDK or library, it is possible that the SDK/library may still require credentials to be present for initialization purposes. In this scenario, you can provide placeholder credentials. Aembit will overwrite these placeholder credentials with the appropriate ones during the access process.

Access Policy

• Create an Access Policy for a Client Workload to access the GCP BigQuery Server Workload. Assign the newly created Credential Provider to this Access Policy.

Required Features

• You will need to configure the TLS Decrypt feature to work with the GCP BigQuery Server Workload.