Merge pull request #363 from k1LoW/bigquery-impersonate-service-account

Support service account impersonation with BigQuery
k1LoW · Jul 28, 2022 · e4ff861 · e4ff861
2 parents 072711d + 83c9730
commit e4ff861
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -477,6 +477,11 @@ To set `GOOGLE_APPLICATION_CREDENTIALS` environment variable, you can use
     - `?credentials=/path/to/client_secrets.json`
     - `?creds=/path/to/client_secrets.json`
 
+Also, you can use impersonate service account using environment variables below.
+
+- `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT`: Email of service account
+- `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT_LIFETIME`: You can use impersonate service account within this lifetime. This value must be readable from https://github.com/k1LoW/duration .
+
 **Amazon Redshift:**
 
 ``` yaml

diff --git a/datasource/gcp.go b/datasource/gcp.go
@@ -54,15 +54,35 @@ func NewBigqueryClient(ctx context.Context, urlstr string) (*bigquery.Client, st
 	projectID := u.Host
 	datasetID := splitted[1]
 
+	var options []option.ClientOption
+
+	// Setup credential
 	values := u.Query()
 	if err := setEnvGoogleApplicationCredentials(values); err != nil {
 		return nil, "", "", err
 	}
-	var client *bigquery.Client
+
 	if os.Getenv("GOOGLE_APPLICATION_CREDENTIALS") == "" && os.Getenv("GOOGLE_APPLICATION_CREDENTIALS_JSON") != "" {
-		client, err = bigquery.NewClient(ctx, projectID, option.WithCredentialsJSON([]byte(os.Getenv("GOOGLE_APPLICATION_CREDENTIALS_JSON"))))
-	} else {
-		client, err = bigquery.NewClient(ctx, projectID)
+		options = append(options, option.WithCredentialsJSON([]byte(os.Getenv("GOOGLE_APPLICATION_CREDENTIALS_JSON"))))
+	}
+
+	// Setup impersonate service account configuration
+	impersonateServiceAccount := getImpersonateServiceAccount()
+	if impersonateServiceAccount != "" {
+		lifetime, err := getImpersonateServiceAccountLifetime()
+		if err != nil {
+			return nil, "", "", err
+		}
+		ts, err := createImpersonationTokenSource(ctx, impersonateServiceAccount, lifetime)
+		if err != nil {
+			return nil, "", "", err
+		}
+		options = append(options, option.WithTokenSource(ts))
+	}
+
+	client, err := bigquery.NewClient(ctx, projectID, options...)
+	if err != nil {
+		return nil, "", "", err
 	}
 	return client, projectID, datasetID, err
 }