Add support for service account impersonation

andrewnicolalde · andrewnicolalde · commit 0a56fece4f22 · 2025-05-06T17:26:35.000Z
diff --git a/pkg/bigquery/http_client.go b/pkg/bigquery/http_client.go
@@ -50,20 +50,35 @@ func getMiddleware(settings types.BigQuerySettings, routePath string) (httpclien
 	var provider tokenprovider.TokenProvider
 	switch settings.AuthenticationType {
 	case "gce":
-		provider = tokenprovider.NewGceAccessTokenProvider(providerConfig)
+		if settings.UsingImpersonation {
+			providerConfig.TargetPrincipal = settings.ServiceAccountToImpersonate
+			provider = tokenprovider.NewImpersonatedGceAccessTokenProvider(providerConfig)
+		} else {
+			provider = tokenprovider.NewGceAccessTokenProvider(providerConfig)
+		}
+
 	case "jwt":
 		err := validateDataSourceSettings(settings)
 
 		if err != nil {
 			return nil, err
 		}
-
-		providerConfig.JwtTokenConfig = &tokenprovider.JwtTokenConfig{
-			Email:      settings.ClientEmail,
-			URI:        settings.TokenUri,
-			PrivateKey: []byte(settings.PrivateKey),
+		if settings.UsingImpersonation {
+			providerConfig.TargetPrincipal = settings.ServiceAccountToImpersonate
+			providerConfig.JwtTokenConfig = &tokenprovider.JwtTokenConfig{
+				Email:      settings.ClientEmail,
+				URI:        settings.TokenUri,
+				PrivateKey: []byte(settings.PrivateKey),
+			}
+			provider = tokenprovider.NewImpersonatedJwtAccessTokenProvider(providerConfig)
+		} else {
+			providerConfig.JwtTokenConfig = &tokenprovider.JwtTokenConfig{
+				Email:      settings.ClientEmail,
+				URI:        settings.TokenUri,
+				PrivateKey: []byte(settings.PrivateKey),
+			}
+			provider = tokenprovider.NewJwtAccessTokenProvider(providerConfig)
 		}
-		provider = tokenprovider.NewJwtAccessTokenProvider(providerConfig)
 	}
 
 	return tokenprovider.AuthMiddleware(provider), nil
diff --git a/pkg/bigquery/types/types.go b/pkg/bigquery/types/types.go
@@ -7,18 +7,20 @@ import (
 )
 
 type BigQuerySettings struct {
-	DatasourceId       int64  `json:"datasourceId"`
-	ClientEmail        string `json:"clientEmail"`
-	DefaultProject     string `json:"defaultProject"`
-	FlatRateProject    string `json:"flatRateProject"`
-	TokenUri           string `json:"tokenUri"`
-	QueryPriority      string `json:"queryPriority"`
-	ProcessingLocation string `json:"processingLocation"`
-	MaxBytesBilled     int64  `json:"MaxBytesBilled,omitempty"`
-	Updated            time.Time
-	AuthenticationType string `json:"authenticationType"`
-	PrivateKeyPath     string `json:"privateKeyPath"`
-	ServiceEndpoint    string `json:"serviceEndpoint"`
+	DatasourceId                int64  `json:"datasourceId"`
+	ClientEmail                 string `json:"clientEmail"`
+	DefaultProject              string `json:"defaultProject"`
+	FlatRateProject             string `json:"flatRateProject"`
+	TokenUri                    string `json:"tokenUri"`
+	QueryPriority               string `json:"queryPriority"`
+	ProcessingLocation          string `json:"processingLocation"`
+	MaxBytesBilled              int64  `json:"MaxBytesBilled,omitempty"`
+	Updated                     time.Time
+	AuthenticationType          string `json:"authenticationType"`
+	PrivateKeyPath              string `json:"privateKeyPath"`
+	ServiceEndpoint             string `json:"serviceEndpoint"`
+	UsingImpersonation          bool   `json:"usingImpersonation"`
+	ServiceAccountToImpersonate string `json:"serviceAccountToImpersonate"`
 
 	// Saved in secure JSON
 	PrivateKey string `json:"-"`
