Search code examples
google-app-engineauthorizationgoogle-bigqueryserver-to-server

Google App Engine authorization for Google BigQuery

I have followed the instructions in https://developers.google.com/bigquery/authorization#service-accounts-appengine to make some queries from app engine to bigquery.

In the step 2, I click on Team in Google Api Console and it redirects to App Engine > Administration > Permissions. I add the service account name as Email and as a role I select developer (the option "can edit" is not available), and then click "Invite user". After that, appears a message: "An email was sent to [email protected] for verification." and the status is Pending. How I could confirm the email?, seems there is a bug here...

Next, I made a test using the following code:

#!/usr/bin/env python
import httplib2
import webapp2
from google.appengine.api import memcache
from apiclient.discovery import build
from google.appengine.ext import webapp
from google.appengine.ext.webapp.util import run_wsgi_app
from oauth2client.appengine import AppAssertionCredentials 

# BigQuery API Settings
PROJECT_NUMBER        = 'XXXXXXXX' 

credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/bigquery')
http        = credentials.authorize(httplib2.Http(memcache))
service     = build("bigquery", "v2", http=http)

class MainHandler(webapp2.RequestHandler):
    def get(self):
        query     = {'query':'SELECT word,count(word) AS count FROM publicdata:samples.shakespeare GROUP BY word;',
                     'timeoutMs':10000}
        jobRunner = service.jobs()
        reply     = jobRunner.query(projectId=PROJECT_NUMBER,body=query).execute()
        self.response.out.write(reply)

app = webapp2.WSGIApplication([
    ('/', MainHandler)
], debug=True)

And the reply was (running from google):

HttpError: <HttpError 403 when requesting https://www.googleapis.com/bigquery/v2/projects/XXXXXXXX/queries?alt=json returned "Access Denied: Job YYYYYYYY:job_e57bdde0144c495dbc864ccbfb82b704: RUN_QUERY_JOB">

If I test from localhost, the answer is:

HttpError: <HttpError 401 when requesting https://www.googleapis.com/bigquery/v2/projects/XXXXXXXX/queries?alt=json returned "Invalid Credentials">

Someone could help me? :-)

Solution

  • You can add the [email protected] to the project at http://cloud.google.com/console.

    Expect this to be easier/ more straightforward soon!

    Step by step, by @Christian:

    1. Go to App Engine Dashboard of your application, click on Application Settings and copy the service account name ([email protected])
    2. Go to http://cloud.google.com/console
    3. Select your project
    4. Click on gear icon and select Teams
    5. Click on Add member
    6. Paste the service account name and select can edit permission, then click on add.
    7. Have fun!