To whom it may concern.

Due to increased security requirements from our company security departement, we got ourself in a position where it becomes impossible to export any service account keyfile from our google cloud platform projects.

Normally, this should not be an issue, as google provides a mechanism to authenticate against a service account when running a google cloud client library in a google environment, ie a virtual machine running in compute engine in our case. This mechanism is know as ADC for Application Default Credentials.

It is the standard for authenticating in production when using compute ressources in google cloud, see this abstract from the documentation:

"

Some Google Cloud services, such as Compute Engine, App Engine, and Cloud Run functions, support attaching a user-managed service account to some types of resources. Generally, attaching a service account is supported when that service's resources can run or include application code. When you attach a service account to a resource, the code running on the resource can use that service account as its identity.

Attaching a user-managed service account is the preferred way to provide credentials to ADC for production code running on Google Cloud.

"

Set up Application Default Credentials  |  Authentication  |  Google Cloud

How Application Default Credentials works  |  Authentication  |  Google Cloud

Unfortunately, upon getting the newest version of ODBC driver compatible with ADC in compute engine, we realized that the ADC behaviour was not implemented in HVR, hence precluding us from running our agent in our infrastructure.

Could this feature be implemented ?

Thank you in advance

Related issues:

https://support.fivetran.com/hc/en-us/requests/208455?page=1

https://support.fivetran.com/hc/en-us/requests/223317?page=1

Ticket at google issuetracker for bigquery: