Prerequisites
Toolbox version
toolbox version 0.29.0+binary.darwin.arm64.39832a0
Environment
- OS type and version: Darwin 24.6.0 (macOS, arm64)
- How are you running Toolbox: As a downloaded binary
Client
- Client: Claude Code (Anthropic CLI for MCP)
- Version: Latest
- Example
.mcp.json:
{
"mcpServers": {
"bigquery": {
"command": "toolbox",
"args": ["--prebuilt", "bigquery", "--stdio"],
"env": {
"BIGQUERY_PROJECT": "my-project"
}
}
}
}Expected Behavior
The prebuilt BigQuery config should expose impersonateServiceAccount via an env var, consistent with how every other configurable source field (location, useClientOAuth, scopes, maxQueryResultRows) is exposed. This field was added to the BigQuery source in #1641 but was not wired into the prebuilt YAML.
Expected: setting BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT with --prebuilt bigquery should cause queries to run as the impersonated service account.
Current Behavior
There is no env var to enable impersonateServiceAccount with --prebuilt bigquery. The prebuilt YAML at internal/prebuiltconfigs/tools/bigquery.yaml does not include the field. CLOUDSDK_ACTIVE_CONFIG_NAME and GOOGLE_IMPERSONATE_SERVICE_ACCOUNT are not honored by toolbox. SESSION_USER() always returns the personal account.
Steps to reproduce?
- Configure an MCP client with
--prebuilt bigquery and BIGQUERY_PROJECT set
- Set
CLOUDSDK_ACTIVE_CONFIG_NAME to a gcloud config that uses impersonate_service_account, or set GOOGLE_IMPERSONATE_SERVICE_ACCOUNT — neither has any effect
- Run
SELECT SESSION_USER() via the execute_sql tool
- Result: returns the personal account, not the service account
- There is no env var available to enable impersonation with
--prebuilt
Additional Details
The fix is one line in internal/prebuiltconfigs/tools/bigquery.yaml:
impersonateServiceAccount: ${BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT:}The empty default means existing users are unaffected. I built and tested a patched binary locally — impersonation works with the env var set, and behavior is unchanged when unset. Happy to open a PR.
The current workaround is to use --tools-file with a custom YAML, but this requires manually redefining all 9 BigQuery tools with their descriptions. It's also fragile since new tools added in future releases won't be picked up.
Related: #906, #1641
Prerequisites
Toolbox version
toolbox version 0.29.0+binary.darwin.arm64.39832a0
Environment
Client
.mcp.json:{ "mcpServers": { "bigquery": { "command": "toolbox", "args": ["--prebuilt", "bigquery", "--stdio"], "env": { "BIGQUERY_PROJECT": "my-project" } } } }Expected Behavior
The prebuilt BigQuery config should expose
impersonateServiceAccountvia an env var, consistent with how every other configurable source field (location,useClientOAuth,scopes,maxQueryResultRows) is exposed. This field was added to the BigQuery source in #1641 but was not wired into the prebuilt YAML.Expected: setting
BIGQUERY_IMPERSONATE_SERVICE_ACCOUNTwith--prebuilt bigqueryshould cause queries to run as the impersonated service account.Current Behavior
There is no env var to enable
impersonateServiceAccountwith--prebuilt bigquery. The prebuilt YAML atinternal/prebuiltconfigs/tools/bigquery.yamldoes not include the field.CLOUDSDK_ACTIVE_CONFIG_NAMEandGOOGLE_IMPERSONATE_SERVICE_ACCOUNTare not honored by toolbox.SESSION_USER()always returns the personal account.Steps to reproduce?
--prebuilt bigqueryandBIGQUERY_PROJECTsetCLOUDSDK_ACTIVE_CONFIG_NAMEto a gcloud config that usesimpersonate_service_account, or setGOOGLE_IMPERSONATE_SERVICE_ACCOUNT— neither has any effectSELECT SESSION_USER()via theexecute_sqltool--prebuiltAdditional Details
The fix is one line in
internal/prebuiltconfigs/tools/bigquery.yaml:The empty default means existing users are unaffected. I built and tested a patched binary locally — impersonation works with the env var set, and behavior is unchanged when unset. Happy to open a PR.
The current workaround is to use
--tools-filewith a custom YAML, but this requires manually redefining all 9 BigQuery tools with their descriptions. It's also fragile since new tools added in future releases won't be picked up.Related: #906, #1641