BigQuery (Service Account)

Live

SERVICE ACCOUNT

ANALYTICS

Analytics

Connect to Google BigQuery using a GCP service account for server-to-server authentication without user login.

  • Acts as the user: Every tool call runs as the authorizing user. Access and audit trail stay intact.
  • Credentials stay vaulted: AES-256 encrypted, resolved at request time, never stored in LLM context.
  • Scoped before every call: Per-user permissions enforced automatically. 90-day audit trail included.
BigQuery (Service Account)
agent · Acme Q3
Run
Cancel Job in BigQuery (Service Account)
S
bigqueryserviceaccount_cancel_job
85ms
BigQuery (Service Account) agent
Request cancellation of a running bigquery job. returns the final job resource. cancellation is best-effort and the job .
Sources: BigQuery (Service Account)
bigqueryserviceaccountmcp
1 tool call
18:29
Message Claude...

BigQuery (Service Account) tools for AI agents

CALL ANY TOOL
12 tools covering get, dry, cancel.
bigqueryserviceaccount_cancel_job
Request cancellation of a running bigquery job. returns the
Request cancellation of a running bigquery job. returns the final job resource. cancellation is best-effort and the job may complete before it can be cancelled.
Parameters
Name
Type
Required
Description
job_id
string
Required
The ID of the job to cancel
location
string
Optional
Geographic location where the job was created, e.g. US or EU
bigqueryserviceaccount_dry_run_query
Validate a sql query and estimate its cost without executing
bigqueryserviceaccount_get_dataset
Retrieve metadata for a specific bigquery dataset, including
bigqueryserviceaccount_get_job
Retrieve the status and configuration of a bigquery job by i
bigqueryserviceaccount_get_model
Retrieve metadata for a specific bigquery ml model, includin
bigqueryserviceaccount_get_query_results
Retrieve the results of a completed bigquery query job. supp
bigqueryserviceaccount_get_routine
Retrieve the definition and metadata of a specific bigquery
bigqueryserviceaccount_get_table
Retrieve metadata and schema for a specific bigquery table o
bigqueryserviceaccount_insert_query_job
Submit an asynchronous bigquery query job. returns a job id
bigqueryserviceaccount_list_datasets
List all bigquery datasets in the project. supports filterin
bigqueryserviceaccount_list_jobs
List bigquery jobs in the project. supports filtering by sta
bigqueryserviceaccount_list_models
List all bigquery ml models in a dataset, including their mo
Build your Agent
Same auth pattern across every framework.
Python · LlamaIndex
from langchain_mcp_adapters.client import MultiServerMCPClient
from scalekit import ScalekitClient

client = ScalekitClient(env_url=ENV_URL, client_id=CLIENT_ID, client_secret=SECRET)
token = client.agent.get_token(user_id="user_id", connector="bigqueryserviceaccount")

mcp = MultiServerMCPClient({
"bigqueryserviceaccount": {
"url": "https://mcp.scalekit.com/bigqueryserviceaccount",
"headers": {"Authorization": "Bearer " + token}
}
})
tools = await mcp.get_tools()
import OpenAI from "openai";
import { ScalekitClient } from "@scalekit-sdk/node";

const client = new ScalekitClient({ envUrl, clientId, clientSecret });
const token = await client.agent.getToken({ userId: "user_id", connector: "bigqueryserviceaccount" });

const openai = new OpenAI();
// Connect to MCP at https://mcp.scalekit.com/bigqueryserviceaccount
// Pass: Authorization: Bearer + token
import Anthropic from "@anthropic-ai/sdk";
import { ScalekitClient } from "@scalekit-sdk/node";

const client = new ScalekitClient({ envUrl, clientId, clientSecret });
const token = await client.agent.getToken({ userId: "user_id", connector: "bigqueryserviceaccount" });

const anthropic = new Anthropic();
// Connect to MCP at https://mcp.scalekit.com/bigqueryserviceaccount
// Pass: Authorization: Bearer + token
from google.adk.agents import LlmAgent
from scalekit import ScalekitClient

client = ScalekitClient(env_url=ENV_URL, client_id=CLIENT_ID, client_secret=SECRET)
token = client.agent.get_token(user_id="user_id", connector="bigqueryserviceaccount")
# Connect to MCP at https://mcp.scalekit.com/bigqueryserviceaccount
# Pass: Authorization: Bearer + token
Try these prompts
Paste any prompt into your agent to get started.
Get started
Copy the prompt
Copied
Submit an asynchronous BigQuery query job?
Copy the prompt
Copied
Request cancellation of a running BigQuery job?
Advanced
Copy the prompt
Copied
Validate a SQL query and estimate its cost without executing it?
Copy the prompt
Copied
List all tables and views in a BigQuery dataset?
SEE HOW AUTH WORKS
User authorises once. Every agent call after uses their token with scope enforcement.
1
Authorize
Your user connects
BigQuery (Service Account)
once. We tie it to their identity and the meetings they approved — no shared bot account, no org-wide access
Who:
user ‘A’
when:
Once per user
access:
Limited to user
2
Store
Their
BigQuery (Service Account)
token lives in a vault scoped to them. User A's meetings are never reachable by an agent acting for user B, even on the same connection
vault:
encrypted
scope:
per-user
tokens:
auto-refreshed
3
Resolve
When your agent calls a
BigQuery (Service Account)
tool, we fetch the right token server-side. It never touches your agent, never appears in the LLM context, never shows up in your logs
speed:
~40ms
check:
before every call
seen by:
nobody
4
Audit
Every
BigQuery (Service Account)
tool call is logged — who triggered it, which meeting was fetched, what came back. 90 days of history, tied to the user who authorized it
history:
90 days
export:
SIEM-ready
logged:
every call
Test other agents
See the same per-user auth pattern across other connectors.
SALES
Deal intelligence agent
Combine Gong, Attio, and Slack signals to surface deal risks and next-best actions. Updated after every call.
ENGINEERING
Engineering standup agent
Aggregate GitHub and GitLab activity, link to Jira, and post a daily standup digest to Slack. No async updates.
Why Scalekit
Secure your agent's access. Connectors ship in minutes
Other connector libraries treat auth as a demo afterthought.
01.
Shared tokens break per-user analytics
A shared token looks fine in a demo. In production every call looks like a service account. Scalekit resolves the real user credential.
// shared token
audit → bot_service_account

// scalekit
audit → user_abc ✓
02.
Authentication is not authorization
03.
Multi-tenancy is architectural
04.
One connector today. Ten tomorrow.
“Our agents act across Salesforce, Gong, Google Drive, and more, on behalf of every customer. Scalekit behind the scenes meant we can keep adding tools without ever rebuilding how credentials or tool calling work.”
Venu Madhav Kattagoni
Head of Engineering / Von
FAQs
Frequently Asked Questions

Does the agent access BigQuery (Service Account) as the user or as a shared key?
As the user. Each workspace member authorizes once and Scalekit resolves their credential at request time. Audit logs attribute every action to that user, not a shared service account.

Where is the BigQuery (Service Account) service account key stored?
In Scalekit's managed AES-256 token vault, namespaced per tenant. Refresh is automatic. Revocation is a single dashboard action. Tokens never appear in prompts, logs, or LLM context.

Can I limit what the agent is allowed to do in BigQuery (Service Account)?
Yes. Pass a tool name filter to listScopedTools so the analytics agent only sees the subset you authorize. Pre-API-call scope checks block out-of-policy actions before the request reaches BigQuery (Service Account).

What happens when a user revokes BigQuery (Service Account) access?
The connection is invalidated on the next tool call. Subsequent requests for that user fail closed with a clear error. Other users in the tenant remain unaffected. The event is logged for audit.

Does the service account respect BigQuery IAM?
Yes. Queries run under the connected service account's IAM roles, with dataset ACLs, row-level security, and masking intact. Scalekit vaults the key and adds per-call scope checks plus audit.

Start in your coding agent
Up and running in one command
Install the Scalekit skill in your editor of choice. Connector, auth, tools, prompt, all wired up
Claude Code REPL
/plugin marketplace add scalekit-inc/claude-code-authstack
/plugin install agentkit@scalekit-auth-stack
Cursor Code REPL
# ~/.cursor/mcp.json
{
""mcpServers"": {
""bigqueryserviceaccount"": {
""url"": ""https://mcp.scalekit.com/bigqueryserviceaccount"",
""headers"": { ""Authorization"": ""Bearer $SCALEKIT_TOKEN"" }
}
}
}
Codex Code REPL
# ~/.codex/config.toml
[mcp_servers.bigqueryserviceaccount]
url = ""https://mcp.scalekit.com/bigqueryserviceaccount""
auth_env = ""SCALEKIT_TOKEN""
Copilot Code REPL
# .vscode/mcp.json
{
""servers"": {
""bigqueryserviceaccount"": {
""url"": ""https://mcp.scalekit.com/bigqueryserviceaccount"",
""type"": ""http""
}
}
}