Add support for service account impersonation (#344)

This PR is the same as
#336 but uses
the new versions of the sdks with the required changes.

<img width="694" alt="Screenshot 2025-06-17 at 11 59 16"
src="https://github.com/user-attachments/assets/04366635-24ba-4879-918b-ad53886bb396"
/>


### How to test it:

- Use `raintank-dev` project.
- I created a service account called
`bigqueryim@raintank-dev.iam.gserviceaccount.com`. This sa only has
`Service Account Token Creator` role. Create a new key for the service
account or ask me for it.
- Create a new data source with the jwt key for
`bigqueryim@raintank-dev.iam.gserviceaccount.com`
- Check Enable under Service account impersonation
- Add `bq-dev@raintank-dev.iam.gserviceaccount.com` to the `Service
account to impersonate` field
- Create a simple query in explore

Fixes #310

Author: zoltanbedi

.vscode/launch.json

@@ -10,6 +10,23 @@
       "output": "${workspaceFolder}/pkg/__debug_bin",
       "env": {},
       "args": ["--standalone=true"]
+    },
+    {
+      "name": "Attach to plugin backend in docker",
+      "type": "go",
+      "request": "attach",
+      "mode": "remote",
+      "port": 2345,
+      "host": "127.0.0.1",
+      "showLog": true,
+      "trace": "log",
+      "logOutput": "rpc",
+      "substitutePath": [
+        {
+          "from": "${workspaceFolder}",
+          "to": "/root/{{ pluginId }}"
+        }
+      ]
     }
   ]
 }

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 2.1.0
+
+🚀 Feat: Support service account impersonation
+⚙️ Bump `github.com/getkin/kin-openapi` from 0.129.0 to 0.131.0
+
 ## 2.0.5
 
 ⚙️ Update `golang.org/x/net` from 0.36.0 to 0.38.0

README.md

@@ -42,6 +42,11 @@ Google BigQuery datasource provides two ways of authentication:
 
 When Grafana is running on a Google Compute Engine (GCE) virtual machine, it is possible for the Google BigQuery datasource to automatically retrieve the default project id and authentication token from the metadata server. For this to work, you need to make sure that you have a service account that is setup as the default account for the virtual machine and that the service account has been given read access to the BigQuery API.
 
+### Service account impersonation
+
+You can also configure the plugin to use [service account impersonation](https://cloud.google.com/iam/docs/service-account-impersonation).
+You need to ensure the service account used by this plugin has the `iam.serviceAccounts.getAccessToken` permission. This permission is in roles like the [Service Account Token Creator role](https://cloud.google.com/iam/docs/roles-permissions/iam#iam.serviceAccountTokenCreator) (roles/iam.serviceAccountTokenCreator). Also, the service account impersonated by this plugin needs [BigQuery Data Viewer](https://cloud.google.com/iam/docs/roles-permissions/bigquery#bigquery.dataViewer) and [BigQuery Job User](https://cloud.google.com/iam/docs/roles-permissions/bigquery#bigquery.jobUser) roles.
+
 ### Provisioning
 
 It is possible to configure data sources using configuration files with Grafana’s provisioning system. To read about how it works, including and all the settings that you can set for this data source, refer to [Provisioning Grafana data sources](https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources).

cspell.config.json

@@ -28,6 +28,7 @@
     "etag",
     "fillmode",
     "genproto",
+    "getkin",
     "googleapi",
     "grafana",
     "gtime",

go.mod

@@ -3,22 +3,22 @@ module github.com/grafana/grafana-bigquery-datasource
 go 1.24.3
 
 require (
-	cloud.google.com/go v0.118.0
-	cloud.google.com/go/bigquery v1.64.0
-	github.com/grafana/grafana-google-sdk-go v0.2.1
+	cloud.google.com/go v0.120.0
+	cloud.google.com/go/bigquery v1.67.0
+	github.com/grafana/grafana-google-sdk-go v0.4.1
 	github.com/grafana/grafana-plugin-sdk-go v0.277.1
 	github.com/grafana/sqlds/v3 v3.4.2
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.10.0
-	google.golang.org/api v0.214.0
-	google.golang.org/grpc v1.71.1
+	google.golang.org/api v0.233.0
+	google.golang.org/grpc v1.72.0
 )
 
 require (
-	cloud.google.com/go/auth v0.13.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
+	cloud.google.com/go/auth v0.16.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	cloud.google.com/go/iam v1.2.2 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/apache/arrow-go/v18 v18.2.0 // indirect
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
@@ -43,10 +43,10 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/grafana/dataplane/sdata v0.0.7 // indirect
 	github.com/grafana/otel-profiling-go v0.5.1 // indirect
@@ -109,21 +109,21 @@ require (
 	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
 	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/term v0.31.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
-	golang.org/x/time v0.8.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.30.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
+	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/fsnotify/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect