faucet-common-bigquery
Shared Google BigQuery credentials and client construction for the BigQuery source and sink connectors. Part of the faucet-stream ecosystem.
This is a small internal/shared crate: it holds the one credential enum and the one async client builder that both faucet-source-bigquery and faucet-sink-bigquery need, so the two crates accept exactly the same auth shape and build their gcp_bigquery_client::Client the same way.
What it provides
| Item | Kind | Description |
|---|---|---|
BigQueryCredentials |
enum |
How to authenticate with BigQuery. Derives Serialize, Deserialize, JsonSchema so it round-trips through YAML/JSON configs and CLI schema introspection. Its Debug impl masks inline service-account JSON as *** while leaving the key path visible. |
build_client(&BigQueryCredentials) |
async fn |
Turns a BigQueryCredentials into a ready-to-use [gcp_bigquery_client::Client]. Returns FaucetError::Auth on authentication failure or unparseable inline JSON. |
BigQueryCredentials variants
Credentials serialize as { type: <method>, config: { … } } (adjacent tagging, snake_case discriminators) — the consistent auth wire shape shared by every faucet connector.
type |
config fields |
Description |
|---|---|---|
service_account_key_path |
path: String |
Path to a service-account JSON key file on disk. |
service_account_key |
json: String |
Inline service-account JSON key content (e.g. injected from a secrets manager). |
application_default |
(none) | Use Application Default Credentials — workload identity, gcloud auth application-default login, or the GOOGLE_APPLICATION_CREDENTIALS env var. |
Example YAML, as it appears inside a source/sink credentials: block:
# Key file on disk
credentials:
type: service_account_key_path
config:
path: /etc/faucet/bq-key.json
# Inline JSON (often via a secret reference)
credentials:
type: service_account_key
config:
json: ${secret:BQ_SA_JSON}
# Application Default Credentials — no config
credentials:
type: application_default
Who should depend on this
- End users / pipeline authors — you almost certainly do not depend on this crate directly. Install
faucet-source-bigqueryorfaucet-sink-bigquery(or thefaucetCLI with thesource-bigquery/sink-bigqueryfeatures); both re-exportBigQueryCredentials, so your imports don't change. - Connector authors — depend on this crate if you are building a third-party
faucet-source-*/faucet-sink-*crate that talks to BigQuery and want to accept the same credentials shape and reuse the same client builder.
Installation
The only required faucet dependency is faucet-core (pulled in transitively); see the Third-Party Connector Friendliness guidance.
Usage
use ;
async
Embed BigQueryCredentials in your own connector config so it deserializes from the standard wire shape:
use BigQueryCredentials;
use JsonSchema;
use ;
Feature flags
None. The crate has no optional features; all functionality is always compiled.
Troubleshooting
| Symptom | Cause / fix |
|---|---|
FaucetError::Auth("invalid service account JSON: …") |
The service_account_key json string is not valid service-account JSON. Verify the value (and that any secret reference resolved to the full key body, not a path). |
FaucetError::Auth("BigQuery auth failed: …") |
The key file path is wrong/unreadable, the service account lacks BigQuery permissions, or ADC could not be resolved. Check the path, the SA's IAM roles, and run gcloud auth application-default login for the application_default variant. |
Inline key shows as ServiceAccountKey(***) in logs |
Intended — the Debug impl masks inline JSON so it never leaks into tracing output. Key paths are not masked. |
application_default can't find credentials |
Set GOOGLE_APPLICATION_CREDENTIALS, run gcloud auth application-default login, or run on a GCP runtime with an attached service account / workload identity. |
See also
- faucet-source-bigquery — BigQuery query source.
- faucet-sink-bigquery — BigQuery streaming-insert /
MERGEupsert sink. - faucet-stream documentation — full project docs.
License
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.