Connecting to Google BigQuery Using OAuth Authentication

Related LIBNAME Options

Use these options to connect to Google BigQuery using the OAuth tool for authentication:

Here is an example of a LIBNAME statement that connects to Google BigQuery using the OAuth tool options:

libname mylib bigquery schema='Region1'
        project='myProject'
        CLIENT_ID="919191919191-abababa5ab96so8v9o298np4tg0la1md.apps.googleusercontent.com"
        CLIENT_SECRET=O8XKYBEdFZdX_1BAbABab9AB
        REFRESH_TOKEN="1//0dJj ... l3-7cOoDxCR0p9u6k3_jl_i-Y31hdZ4FOumSO0"
        <other-options>;

Here is a sample call to PROC SQL that uses the same options:

proc sql;
     connect to (CLIENT_SECRET=O8XKYBEdFZdX_1BAbABab9AB
       CLIENT_ID="919191919191-abababa5ab96so8v9o298np4tg0la1md.apps.googleusercontent.com"
       REFRESH_TOKEN="1//0dJj ... l3-7cOoDxCR0p9u6k3_jl_i-Y31hdZ4FOumSO0" 
       <other-options>);
Note: The value of REFRESH_TOKEN= is typically quite long. The ellipsis (...) symbol is used to convey that the value is longer than what is shown in the examples.

Utility to Obtain an Authentication Token

Install the Authentication Token Utility

SAS/ACCESS Interface to Google BigQuery provides a utility that generates the refresh token that is needed for OAuth authentication. This utility is part of the SAS/ACCESS to Google BigQuery Tools that are available at https://support.sas.com/downloads/package.htm?pid=2459.

The name of the file to download corresponds to your operating system.

  • Linux: sas-bigquery-tools-<version>-linux.tgz
  • Apple macOS: sas-bigquery-tools-<version>-osx.tgz
  • Windows: sas-bigquery-tools-<version>.zip

The Authentication Token utility is called getRefreshToken, and it is contained in the compressed file.

Run the Authentication Token Utility

To obtain a refresh token using the Authentication Token utility for the Google BigQuery interface, complete the following steps:

  1. Run the getRefreshToken utility, providing your client ID and client secret values. The client_id is the ID for the OAuth client for which you are obtaining a refresh token. The client_secret is the secret value for the OAuth client. 
    utility-path/getRefreshToken -client_id client_id
 -client_secret client_secret
  2. Open a web browser and access the URL that you obtained in step 1.
    1. Provide your Google credentials to log in to the site.
    2. Click Allow to grant Google BigQuery and GCP services access to your data.
    3. You receive an error that states that you cannot access the site. However, you can copy the necessary access token from the resulting URL. Copy the value after the &code parameter (the value ends before the &scope parameter). This is your access token.
  3. To obtain a refresh token, enter the access token value that you obtained in step 2.

To test your connection with a refresh token value, you can enter a command similar to the following:

utility-path/getRefreshToken -client_id client-ID
                -client_secret secret 
                -project myProject
                -token refresh-token-value
                -query 'select * from `schema.table`'

To get help with syntax for getRefreshtoken, specify the following command:

getRefreshToken -h

The getRefreshToken command supports these options:

-client_id string specifies the OAuth client ID value.
-client_secret string specifies the OAuth client secret.
-project string specifies the project to connect with for your test query.
-proxy string specifies the proxy URL to connect through.
-query string specifies a test query to run to test your connection with the refresh token. Specify the -project option when you specify -query. Enclose the query in single quotation marks (') and enclose table values with back quotation marks (`). For example, you might specify this test query: -query 'select * from `schema.table`'
-scope string specifies the scope for the token. This can take the form of a keyword, a combination of keywords, or one or more scope URLs. Valid keywords are bigquery, sheets, drive, or all. Use a + to combine keywords, such as sheets+drive. The keyword all must be specified by itself. Use a + to combine multiple scope URL values, such as https://www.googleapis.com/auth/drive.readonly+https://www.googleapis.com/auth/spreadsheets.readonly.
-token string specifies the refresh token to connect with.
Last updated: February 3, 2026