Skip to content

Fix: Add Google Drive scope for BigQuery service account authentication #692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix: Add Google Drive scope for BigQuery service account authentication #692

wants to merge 4 commits into from

Conversation

timvyas
Copy link
Contributor

@timvyas timvyas commented Sep 4, 2025

Summary

Resolves the "Permission denied while getting Drive credentials" error when using service accounts to access Google Sheets as external tables in BigQuery.

Problem Description

Service accounts in dbt-fusion cannot access Google Sheets as external tables, failing with:

Error 403: Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials., accessDenied

This works fine with:

  • OAuth authentication in dbt-fusion
  • Service accounts in dbt-core
  • Same service account with other BigQuery operations

Root Cause

The BigQuery ADBC driver requires OAuth scopes to be explicitly set when using service accounts to access Google Drive resources. dbt-fusion was missing the adbc.bigquery.sql.impersonate.scopes parameter configuration for service account authentication methods.

Solution

Added Google Drive OAuth scope configuration to service account authentication:

Changes Made:

  1. crates/dbt-xdbc/src/bigquery.rs: Added IMPERSONATE_SCOPES constant mapping to ADBC parameter
  2. crates/dbt-auth/src/bigquery/mod.rs: Configure scopes for both ServiceAccount and ServiceAccountJson methods
  3. OAuth Scopes Added:
    • https://www.googleapis.com/auth/bigquery
    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/drive ← This was the missing scope
  4. Updated unit tests to verify scopes are properly configured

Testing

  • ✅ Unit tests pass and verify scope configuration
  • ✅ Builds successfully with cargo build --release
  • ✅ Aligns with dbt-core's scope implementation
  • ⚠️ Unable to test end-to-end locally: The run and build commands are not yet available in the open-source crates, so full integration testing with Google Sheets external tables cannot be performed from this repository. The fix can be verified once integrated into the complete dbt-fusion package.

Compatibility

  • No breaking changes
  • Only affects service account authentication with Google Drive resources
  • OAuth authentication unchanged
  • Backward compatible

References

  • Related to previous reports in dbt Slack community
  • Aligns with dbt-core BigQuery credentials implementation
  • Uses existing ADBC driver impersonate.scopes parameter

Checklist

  • Added appropriate tests
  • Updated changelog entry
  • No breaking changes
  • Follows existing code patterns
  • Addresses the root cause completely

This change brings dbt-fusion's service account authentication in line with dbt-core's implementation for accessing Google Drive resources through BigQuery.

@timvyas timvyas requested a review from a team as a code owner September 4, 2025 13:39
@cla-bot cla-bot
Copy link

cla-bot bot commented Sep 4, 2025

Thanks for your pull request, and welcome to our community! We require contributors to sign our Contributor License Agreement and we don't seem to have your signature on file. Check out this article for more information on why we have a CLA.

In order for us to review and merge your code, please submit the Individual Contributor License Agreement form attached above above. If you have questions about the CLA, or if you believe you've received this message in error, please reach out through a comment on this PR.

CLA has not been signed by users: @timvyas

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 4, 2025

Thank you for your pull request! We could not find a changelog entry for this change. For details on how to document a change, see the contributing guide.

@cla-bot cla-bot
Copy link

cla-bot bot commented Sep 4, 2025

Thanks for your pull request, and welcome to our community! We require contributors to sign our Contributor License Agreement and we don't seem to have your signature on file. Check out this article for more information on why we have a CLA.

In order for us to review and merge your code, please submit the Individual Contributor License Agreement form attached above above. If you have questions about the CLA, or if you believe you've received this message in error, please reach out through a comment on this PR.

CLA has not been signed by users: @timvyas

@timvyas
Copy link
Contributor Author

timvyas commented Sep 4, 2025

I have signed the CLA form. Please recheck.

@cla-bot cla-bot bot added the cla:yes label Sep 4, 2025
@timvyas timvyas force-pushed the fix/bigquery-service-account-google-sheets branch from c71049a to 80d058f Compare September 8, 2025 14:00
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 8, 2025

This repository enforces signed commits. Please sign your commits by following the docs here.

@timvyas timvyas force-pushed the fix/bigquery-service-account-google-sheets branch from 80d058f to 61705ff Compare September 8, 2025 14:21
@timvyas
fix: add Google Drive scope for BigQuery service account authentication
6ded87d 
This fix resolves the 'Permission denied while getting Drive credentials' error
when using service accounts to access Google Sheets as external tables in BigQuery.

Changes:
- Add IMPERSONATE_SCOPES constant to dbt-xdbc/bigquery.rs
- Configure Google Drive scope for both ServiceAccount and ServiceAccountJson
  authentication methods in dbt-auth/bigquery/mod.rs
- Add OAuth scopes: bigquery, cloud-platform, and drive
- Update unit tests to verify scopes are properly set

This aligns dbt-fusion's service account authentication with dbt-core's
implementation for Google Drive resource access through BigQuery.
@timvyas
chore: add changelog entry for Google Sheets service account fix
a6499d7 
References issue dbt-labs#691
@timvyas
chore: trigger CLA recheck
19581de 
CLA has been signed - triggering bot to recheck status
@timvyas
fix: rebase onto main and resolve conflicts for Google Drive scope ad…
4a91c57 
…dition

- Rebase branch onto latest main to incorporate refactored BigQuery auth structure
- Resolve merge conflicts from removal of TryFrom trait implementation
- Add Google Drive scope to both config_service_account and config_service_account_json helper functions
- Add test_service_account_keyfile_with_scopes to verify tilde expansion and scope addition
- Update test_builder_from_auth_config_keyfile_json to verify scopes are included
- Fix syntax error in test loop structure
@timvyas timvyas force-pushed the fix/bigquery-service-account-google-sheets branch from 61705ff to 4a91c57 Compare September 8, 2025 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla:yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timvyas