Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

How to obtain an oauth access token to use the Google BigQuery Api

I would like to expose a BigQuery stored procedure that returns data back to the caller based on parameters provided through an Apigee proxy.  As I understand, an oAuth access token is required in order to call the Google BigQuery API.

I found an article that explains using a predefined service account to deploy the proxy with the necessary BigQuery permissions.  Basically, it explained about using a ServiceCallOut policy to retrieve the access token but I am not sure how to properly setup the code in the policy to obtain the access token.  Or is it the correct approach (I included the snippet in the ServiceCallOut policy below)

https://www.googlecloudcommunity.com/gc/Apigee/How-to-get-Bearer-token-for-Management-APIs-in-Apigee...

https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview

ServiceCallOut code

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-GetOAuthAccessToken">
  <DisplayName>SC-GetOAuthAccessToken</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="myRequest">
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  </Request>
  <Response>calloutResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <Authentication>
      <GoogleAccessToken>
        <Scopes>
        </Scopes>
      </GoogleAccessToken>
    </Authentication>
  </HTTPTargetConnection>
</ServiceCallout>
Solved Solved
1 17 4,188
1 ACCEPTED SOLUTION

You're close, but not quite there.  For service-to-service calls, you will use a service account.  From an Apigee proxy, you need to POST to https://oauth2.googleapis.com/token , and the payload must include a JWT.  

Here's a repo that shows how: https://github.com/DinoChiesa/Apigee-GCS-Get/tree/main/sharedflows/get-googleapis-token

That's a re-usable sharedflow. You can use that to get a token that is usable with BQ.  The Service Account must have at least BQ Data Viewer role.  or something with similar permissions.

View solution in original post

17 REPLIES 17