Using an External Account
You can configure the connector to authenticate the connection with an external account (workload or workforce identity federation).
You must provide a configuration file for the external account. The configuration file can be downloaded from the Google API Console.
To configure External account authentication:
- Set the
OAuthTypeproperty to4. - Set the
ProjectIDproperty to the desired project. - Set the
OAuthPvtKeyorOAuthPvtKeyPathproperty to the full path of the external account configuration file, or theOAuthPvtKeyproperty to a raw JSON object containing the configuration file contents. Alternatively you can use BYOID_ properties instead of configuration file.
The following is the format of a workforce configuration file:
{
"type": "external_account",
"audience": "//iam.googleapis.com/locations/[LOCATION]/workforcePools/[WORKFORCE_POOL_ID]/providers/[PROVIDER_ID]",
"subject_token_type": "urn:ietf:params:oauth:tokentype:id_token",
"token_url": "https://sts.googleapis.com/v1/token",
"workforce_pool_user_project": "[WORKFORCE_POOL_USER_PROJECT]",
"credential_source": {"file"/"url": "[PATH_TO_OIDC_CREDENTIALS]"
...
}
}
For example, the following connection URL authenticates the connection using an external account:
jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;
ProjectId=MyBigQueryProject;OAuthType=4;OAuthPvtKeyPath=
C:\Path-to-Files\ConfigurationFile.json;
jdbc:bigquery://https://www.googleapis.com/
bigquery/v2:433;OAuthType4;ProjectId=
MyBigQueryProject;BYOID_AudienceUri=//iam.googleapis.com/locations/global/workforcePools/pool-id/providers/provider-id;BYOID_PoolUserProject=workforceProjectNumber;BYOID_CredentialSource={"file": "C:\\Token.txt"};
Note:
For more information about using external accounts, see "Workforce Identity Federation" and "Workload Identity Federation" in the Google Cloud documentation:
Note:
For more information about generating configuration files, see "Generate a Configuration File" in the Google Cloud documentation: