Google APIs - App-Level Authorization for Android BigQuery Client

Question

I've set up a project in Google API's for use with BigQuery. I've generated Client ID credentials and am using the BigQuery client for Android.

    GoogleAccountCredential credential = GoogleAccountCredential.usingOAuth2(getApplicationContext(), Collections.singleton(BigqueryScopes.BIGQUERY));

    ...Display User Picker...

    credential.setSelectedAccountName("account.selected.by.user@gmail.com");
    Bigquery bigQuery = new Bigquery.Builder(AndroidHttp.newCompatibleTransport(), GsonFactory.getDefaultInstance(), credential)
                    .setApplicationName("My-App/1.0").build()

    ...use bigQuery to run a job or do whatever...

We can successfully connect to BigQuery, but only for Project Member Accounts as seen at https://console.developers.google.com/project/apps~my-project-name/permissions. Use of other accounts results in 403 Access Denied JSON errors from the BigQuery Client.

The app is to be deployed to any number of users where we do not know their accounts ahead of time. This workflow doesn't support that, unless I'm missing some trick.

It's starting to smell like we need to set up an App Engine app, use GoogleAccountCredential.usingAudience, and set up web services as a pass-through to BigQuery.

Any ideas or thoughts will be appreciated with up votes.

Answer 1

This can be accomplished by using a Service Account, which is typically geared for server-to-server communication.

Follow the instructions at https://developers.google.com/bigquery/docs/authorization#service-accounts-server.

GoogleCredential credential = new GoogleCredential.Builder().setTransport(TRANSPORT)
    .setJsonFactory(JSON_FACTORY)
    .setServiceAccountId("XXXXXXX@developer.gserviceaccount.com")
    .setServiceAccountScopes(SCOPE)
    .setServiceAccountPrivateKeyFromP12File(new File("my_file.p12"))
    .build();

bigquery = new Bigquery.Builder(TRANSPORT, JSON_FACTORY, credential)
    .setApplicationName("BigQuery-Service-Accounts/0.1")
    .setHttpRequestInitializer(credential).build();

Save the p12 file to your assets folder, and generate a physical File object out of the InputStream from the p12 file in assets.

In this way, you can have your Android application act as a non-user-centric client of BigQuery. Awesome!