Prerequisites
Question
Hi!
This is a follow-up question related to my previous issue #1601 about accessing external tables backed by Google Sheets from BigQuery via Toolbox.
In that issue, the error was:
Access Denied: BigQuery ... Permission denied while getting Drive credentials
On my local environment and in docker-compose, I was able to fix this by using ADC with explicit scopes, e.g.:
gcloud auth application-default login \
--scopes=https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/bigquery,https://www.googleapis.com/auth/cloud-platform
After doing that, Toolbox could successfully query the external table backed by Google Sheets, and everything worked as expected. 🙌
Kubernetes environment: cannot easily customize ADC scopes
Now I’m trying to run Toolbox in a Kubernetes environment.
According to the ADC docs (especially for Kubernetes workloads), there is no interactive gcloud auth application-default login --scopes=... flow, and ADC is obtained from the environment (Workload Identity / metadata server, or a mounted service account key).
In this setup, Toolbox’s BigQuery source eventually calls:
// internal/sources/bigquery/bigquery.go
cred, err := google.FindDefaultCredentials(ctx, bigqueryapi.Scope)
(ref:
https://github.com/googleapis/genai-toolbox/blob/dc7c62c951590c97d8b67d786a7358fdc8036089/internal/sources/bigquery/bigquery.go#L519)
This means ADC is created with only bigqueryapi.Scope (i.e. https://www.googleapis.com/auth/bigquery), but not with a Drive scope such as https://www.googleapis.com/auth/drive.readonly.
My understanding is:
When querying an external table backed by Google Sheets,
BigQuery needs a token that also has the Google Drive scope,
Which is why it works locally when I login with both BigQuery + Drive scopes,
But fails in Kubernetes where the Toolbox server itself never asks for the Drive scope.
Question: Can we add drive.readonly scope here?
Would it be acceptable (or recommended) to change this line:
cred, err := google.FindDefaultCredentials(ctx, bigqueryapi.Scope)
to something like:
cred, err := google.FindDefaultCredentials(
ctx,
bigqueryapi.Scope,
"https://www.googleapis.com/auth/drive.readonly",
)Right now:
Local / docker-compose: works fine when I explicitly set ADC scopes (including Drive) via gcloud auth application-default login.
Kubernetes: I’m relying on ADC from the environment, and I don’t see a practical way to “add” the Drive scope there unless Toolbox itself requests it in FindDefaultCredentials.
If I’m misunderstanding how BigQuery external Google Sheets authentication is supposed to work here, I’d really appreciate some guidance on the intended setup for Toolbox in Kubernetes.
Thanks again for all your help and for maintaining this project! 🙏
Code
No response
Additional Details
No response
Prerequisites
Question
Hi!
This is a follow-up question related to my previous issue #1601 about accessing external tables backed by Google Sheets from BigQuery via Toolbox.
In that issue, the error was:
On my local environment and in docker-compose, I was able to fix this by using ADC with explicit scopes, e.g.:
After doing that, Toolbox could successfully query the external table backed by Google Sheets, and everything worked as expected. 🙌
Kubernetes environment: cannot easily customize ADC scopes
Now I’m trying to run Toolbox in a Kubernetes environment.
According to the ADC docs (especially for Kubernetes workloads), there is no interactive gcloud auth application-default login --scopes=... flow, and ADC is obtained from the environment (Workload Identity / metadata server, or a mounted service account key).
In this setup, Toolbox’s BigQuery source eventually calls:
(ref:
https://github.com/googleapis/genai-toolbox/blob/dc7c62c951590c97d8b67d786a7358fdc8036089/internal/sources/bigquery/bigquery.go#L519)
This means ADC is created with only bigqueryapi.Scope (i.e. https://www.googleapis.com/auth/bigquery), but not with a Drive scope such as https://www.googleapis.com/auth/drive.readonly.
My understanding is:
When querying an external table backed by Google Sheets,
BigQuery needs a token that also has the Google Drive scope,
Which is why it works locally when I login with both BigQuery + Drive scopes,
But fails in Kubernetes where the Toolbox server itself never asks for the Drive scope.
Question: Can we add drive.readonly scope here?
Would it be acceptable (or recommended) to change this line:
Right now:
Local / docker-compose: works fine when I explicitly set ADC scopes (including Drive) via gcloud auth application-default login.
Kubernetes: I’m relying on ADC from the environment, and I don’t see a practical way to “add” the Drive scope there unless Toolbox itself requests it in FindDefaultCredentials.
If I’m misunderstanding how BigQuery external Google Sheets authentication is supposed to work here, I’d really appreciate some guidance on the intended setup for Toolbox in Kubernetes.
Thanks again for all your help and for maintaining this project! 🙏
Code
No response
Additional Details
No response