'How can I see the service account that the python bigquery client uses?

To create a default bigquery client I use:

from google.cloud import bigquery
client = bigquery.Client()

This uses the (default) credentials available in the environment.

But how I see then which (default) service account is used?

pythongoogle-cloud-platformgoogle-bigquery


Solution 1:[1]

This led me in the right direction:
Google BigQuery Python Client using the wrong credentials

To see the service-account used you can do:

client._credentials.service_account_email

However:
This statement above works when you run it on a jupyter notebook (in Vertex AI), but when you run it in a cloud function with print(client._credentials.service_account_email) then it just logs 'default' to Cloud Logging. But the default service account for a Cloud Function should be: <project_id>@appspot.gserviceaccount.com.


This will also give you the wrong answer:

client.get_service_account_email()

The call to client.get_service_account_email() does not return the credential's service account email address. Instead, it returns the BigQuery service account email address used for KMS encryption/decryption.

Solution 2:[2]

While you can interrogate the credentials directly (be it json keys, metadata server, etc), I have occasionally found it valuable to simply query bigquery using the SESSION_USER() function.

Something quick like this should suffice:

client = bigquery.Client()
query_job = client.query("SELECT SESSION_USER() as whoami")
results = query_job.result()
for row in results:
    print("i am {}".format(row.whoami))

Solution 3:[3]

Following John Hanley's comment (when running on a Compute Engine) you can query the metadata service to get the email user name:
https://cloud.google.com/compute/docs/metadata/default-metadata-values

So you can either use linux:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"

Or python:

import requests

headers = {'Metadata-Flavor': 'Google'}
response = requests.get(
    "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email", 
    headers=headers
)
print(response.text)

The default in the url used is the alias of the actual service account used.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 shollyman
Solution 3 Sander van den Oord

Related Questions

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

pip issue installing almost any library

pip issue installing almost any library

pip issue installing almost any library

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

A simple SMTP server (in Python)

How to specify which pytorch to import, if I have two different versions installed?

How to specify which pytorch to import, if I have two different versions installed?

A simple SMTP server (in Python)

Python: get all months in range?

Python: get all months in range?

Python: get all months in range?

How to specify which pytorch to import, if I have two different versions installed?