BigQuery Security Guidelines | QueryGrid - BigQuery Target Connector Security Guidelines - Teradata QueryGrid

QueryGridâ„¢ Installation and User Guide - 3.06

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Teradata QueryGrid
Release Number
3.06
Published
December 2024
ft:locale
en-US
ft:lastEdition
2024-12-07
dita:mapPath
ndp1726122159943.ditamap
dita:ditavalPath
ft:empty
dita:id
lxg1591800469257
Product Category
Analytical Ecosystem
Use one of the following authentication mechanisms to access a BigQuery data source:
  • Service Account
  • Application Default
  • Refresh Token (OAuth)
Each authentication mechanism takes the input credentials in a different format as described.

Service Account

The Service Account method is suitable when all types of access to BigQuery through QueryGrid can be performed with the same Google Cloud identity. Service Account mechanism credentials are provided in one of the following two ways:
Both options are mutually exclusive and providing both at the same time results in an error.
Setting Description
Service Account Key Path The path to the service account key JSON file. The key must be present and readable at the path and on every driver node. QueryGrid must have read access to the key. The Service Account Key Path property is mutually exclusive from the Service Account Key parameter.
Service Account Key The contents of the service account key JSON file can be placed in this property. The key is redacted from Viewpoint and logs. The Service Account Key property is mutually exclusive from the Service Account Key Path parameter.
Sample key file:
{
  "type": "service_account",
  "project_id": "9999xyz",
  "private_key_id": "9999fe35b147fa097777461661d741cf616c57b8f386",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEBBoIJKOD/exGQ3gBrdQBY\n/vLPhTH8oLTgsK/v5wHQpJoqOxNLQ87YYj8lz1xyaNByWGtpKvXleIGKVXGUCD6V\nohZp4bSKOmH4kXad6sUMawFvPh93L4SyvsnfvhyGE3u+e6peABntBVL+g57GOs4C\nUAV3IcM2K+TpGZb6EpuY+y+z3iZ6/j0V5SRBo8DGLuv2DsKUWehu6+DGdE7OLxGd\n7E7wNuNd08TUjdatIqi9ynbxgzqWY0nRO+7zsaJX2TJXe8R9GGxdWEoKOatDHPCY\naouDHqTVlkbwxSSkBb7rPArmvkkYoMemfSBEYbhKD9Qe16eKL7nkIKVVmDBmLWf0\niBFC3yLNAgMBAAECggEAAW7/yACMKux1VDU/HCP4e9Zi2aEjsBLKsK/gIkYkSYFN\nyyZGfWylWeCZruwlNw8F8vHesRUdWekLOZOSbLiD4YUOYWNgFU6XVcB3V53fc8T8\npASe/k3Yvig8hPCSwKFqOvFkmFiOl8KuSCt73v3MYwYbxfhVvl7lS1VAxi1ORx1y\nMVeX062qffDg8zHQQ1b1Om6WaaRr7oYgsecra9fm26nh6YV8uIelAU6LJ7ecw1B1\nhaZaLjpsJMMtquOGvLlPZDsPKYlIF2je/IMbhnCG40dh4MRlwKRuDvBF86Lgr3Wk\nViPeoHiyLyst2mr0V1qXZjMleZLt540HsTfvguhbAQKBgQDi1feEnp3pFiuwXjUP\nUAa50A2gIeZvq5CYQo586ilQ8gOwjbQXXE1AbyTh5OCrYcs78wTdl8KYaa4O4w6O\nmHSAXWvdQdL6vPEpoMTSZArH9m878FKQ2AIVW+Ql4XKMFQEBH0Sao0e+3LdBBXM+\nl0EKn26XYvvtVA/YKqJ87gjuzwKBgQDYGW5nq0mUahSB0NflcqT5Bp3P08Vl8j19\ng8j0oCU0vB9Bzh7WnHgVuVEq04n2Br0u2s1qy55/OacWjNjiSMofXqUW6Ctn0Myd\nM8W0I+uEoA4XcgsAeMnnzW5i+x++k80ZbK2v4tiWtxHH1MwDkhkTB4qScQIZbc1C\nyhdJG9zbowKBgQDDNDqzKATgZzHlrsyehtGi6cYv/bxecRgXz37rRF+Vxw8hynAm\ngkoAnyTwOJSXJ6tLxdB0GXteyeL98KvATrZDGSIP3+t910b5+d4m5+zXM915iVCk\nUR9J3jAx4RdAMXsRyiSxpr3BJBOXoucP//369ESphociL2sLLXVzaSzKxQKBgBUt\n0OM6J1jzWJUseaxUIxUA8ACJWcRXDG27t7s54subUFjrsZwI87/1TJ4s402IdYwd\nB5ra3+rKJLUSEsOCrMSMSxPGp1JiZVtW0p6IErIJ2be0hp2COQ+N067Bu+e6ppRC\nUXd2fRGwWX7DPUdwTyLNT2hwyOrjFwXfto6Eu42PAoGAAZ5ntTJXNin4jRD1vnn8\nI5FxkegjnQgoSrX4dGAiieqxdSry1wcJZ7C/jCcmlGbLXcaHae7xmgMW6X8peiIW\nB04bCr2oOs+Em8RnqavwaexPGzbBmi7zqyjGLnoWUCxnRRl5jAU/qPzaIftD1XzR\noNZF8KEf3Xbr0C1VL5MbhJk=\n-----END PRIVATE KEY-----\n",
  "client_email": "xyz@xyz.iam.gserviceaccount.com",
  "client_id": "123456789012345678901234",
  "auth_uri": "9999https://xyz.google.com/o/oauth2/auth",
  "token_uri": "https://xyz.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/sa-uda-querygrid-000%40uda-querygrid.iam.gserviceaccount.com"
}

Application Default

Google Cloud can associate credentials with a virtual machine (VM). By selecting the Application Default authentication mechanism, QueryGrid can use the credentials provided to the Google Cloud Compute instance. The Application Default mechanism uses the Service Account credentials associated to the resource (such as the VM instance in Google Cloud) that is running the driver that accesses BigQuery. Application Default credentials is only applicable when the VM container is on Google Cloud.

Application Default is not intended for use when running the QueryGrid BigQuery connector driver on-premises or on other cloud platforms. The authentication mechanism does not depend on any additional connector properties. BigQuery connector settings use the Application Default as the default mechanism to access the data source.

Refresh Token (OAuth)

The primary purpose for the Refresh Token (OAuth) Authorization Object is to allow for different Vantage users to access BigQuery using multiple or unique Google Cloud identities. This is achieved by users having their own Authorization Objects for use with the QueryGrid foreign server. When creating the Authorization Object, the clientSecret and refreshToken values are placed in the password field in that order separated by a space. These properties can also be set in the connector and link properties, but Authorization Object takes precedence if provided.
Setting Description
Client Id The Authorization Object Client ID used with a refresh token
Client Secret The OAuth Client Secret used with a refresh token
OAuth Refresh Token The Refresh Token used with OAuth Authentication
This is the only authentication mechanism where the credentials can be passed through Authorization Objects on Vantage.
Before using the Refresh Token authentication method, you must first generate the clientID, clientSecret, and refreshToken. Once created, concatenate the clientSecret and refreshToken and use that as the password for the authorization object. The clientSecret and refreshToken are separated by a blank space as in the following example:
{clientSecret}{singlespace}{refreshToken} e.g. "testsecret123 testtoken456"