This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to obtain an oauth access token to use the Google BigQuery Api

Posted on 11-05-2022 07:29 PM
ken-slabs
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I would like to expose a BigQuery stored procedure that returns data back to the caller based on parameters provided through an Apigee proxy.  As I understand, an oAuth access token is required in order to call the Google BigQuery API.

I found an article that explains using a predefined service account to deploy the proxy with the necessary BigQuery permissions.  Basically, it explained about using a ServiceCallOut policy to retrieve the access token but I am not sure how to properly setup the code in the policy to obtain the access token.  Or is it the correct approach (I included the snippet in the ServiceCallOut policy below)

https://www.googlecloudcommunity.com/gc/Apigee/How-to-get-Bearer-token-for-Management-APIs-in-Apigee...

https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview

ServiceCallOut code

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-GetOAuthAccessToken">
  <DisplayName>SC-GetOAuthAccessToken</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="myRequest">
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  </Request>
  <Response>calloutResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <Authentication>
      <GoogleAccessToken>
        <Scopes>
        </Scopes>
      </GoogleAccessToken>
    </Authentication>
  </HTTPTargetConnection>
</ServiceCallout>
Solved Solved
1 17 4,204
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You're close, but not quite there.  For service-to-service calls, you will use a service account.  From an Apigee proxy, you need to POST to https://oauth2.googleapis.com/token , and the payload must include a JWT.  

Here's a repo that shows how: https://github.com/DinoChiesa/Apigee-GCS-Get/tree/main/sharedflows/get-googleapis-token

That's a re-usable sharedflow. You can use that to get a token that is usable with BQ.  The Service Account must have at least BQ Data Viewer role.  or something with similar permissions.

View solution in original post

Jump to Solution
17 REPLIES 17