Authenticate requests from GCE to BigQuery through IAP

0
votes

I am using a GCE instance with one of the python/jupyter notebook images provided by GCP to do some data analytics. The data resides in BigQuery. The instance can use a service account to access BiqQuery by default, but for data protection reasons I have to use personal user accounts requesting the data.

I know can use an programmatic oauth flow in python to request credentials to authenticate to BigQuery with a personal account, but that flow has to be run interactively every time you restart the ipython kernel and involves opening that authorization URL in a browser and then pasting the secret, which is annoying.

Since I am using IAP to log onto the GCE instance with my account, is there a way to get personal credentials from the IAP to use for authentication to BigQuery automatically?

1
google-cloud-platformgoogle-bigquerygoogle-oauthgoogle-iamidentity-aware-proxy

1 Answers

1
votes

As I understand, IAP is like a login screen between user and the application (in your case, jupyter server running on GCE) for the purpose of authenticating user to the app, e.g. jupyter server.

IAP adds an id_token (JWT) as signed headers to your http requests after you authenticate, the JWT is specifically made for the IAP instance, if you base64 decode the jwt, you'll see the audience claim is set to the client_id of the IAP instance, and it can't be used for other purposes.

Also bigquery requires an access_token instead of an id_token. I think doing an oauth flow might be the only way. but happy to be corrected...