https://community.databricks.com/t5/data-engineering/is-gcp-workload-identity-federation-supported-for-bigquery/m-p/142552#M51970 <P>I guess that it is only one accepted as doc say "<STRONG>Google service account key json</STRONG>"</P> Thu, 25 Dec 2025 16:35:01 GMT Hubert-Dudek 2025-12-25T16:35:01Z https://community.databricks.com/t5/data-engineering/is-gcp-workload-identity-federation-supported-for-bigquery/m-p/142535#M51967 <P class=""><SPAN class="">I’m trying to set up a BigQuery connection in </SPAN>Azure Databricks (Unity Catalog / Lakehouse Federation)<SPAN class=""> using </SPAN>GCP Workload Identity Federation (WIF)<SPAN class=""> instead of a GCP service account key</SPAN></P><P class=""><STRONG>Environment</STRONG>:</P><OL><LI>Azure Databricks workspace</LI><LI>BigQuery query federation via Unity Catalog</LI><LI>GCP Workload Identity Pool + OIDC provider configured for Azure AD</LI><LI>Azure Managed Identity / App Registration issuing OIDC tokens</LI><LI>GCP Service Account with <SPAN class="">roles/iam.workloadIdentityUser</SPAN><SPAN> binding to the pool/provider</SPAN></LI></OL><P><STRONG><SPAN>Config Example:</SPAN></STRONG></P><LI-CODE lang="javascript">{ "type": "external_account", "audience": "//iam.googleapis.com/projects/.../providers/...", "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/...", "credential_source": { "url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&amp;resource=api://AzureADTokenExchange", "headers": { "Metadata": "True" }, "format": { "type": "json", "subject_token_field_name": "access_token" } } }</LI-CODE><P class=""><STRONG>Issue:</STRONG></P><P>When creating the BigQuery connection, Databricks shows error:&nbsp;<EM>Google Server Account OAuth Private Key has to be a valid JSON object from the KEYS section…</EM></P><P>This looks like the connector only accepts private service account key JSON.</P><P class=""><STRONG>Question:</STRONG></P><P class="">Is GCP Workload Identity Federation officially supported for BigQuery connections in Azure Databricks today? If so, is there a different credential format required?</P><P>&nbsp;</P> Wed, 24 Dec 2025 17:28:30 GMT https://community.databricks.com/t5/data-engineering/is-gcp-workload-identity-federation-supported-for-bigquery/m-p/142535#M51967 ciaran 2025-12-24T17:28:30Z https://community.databricks.com/t5/data-engineering/is-gcp-workload-identity-federation-supported-for-bigquery/m-p/142552#M51970 <P>I guess that it is only one accepted as doc say "<STRONG>Google service account key json</STRONG>"</P> Thu, 25 Dec 2025 16:35:01 GMT https://community.databricks.com/t5/data-engineering/is-gcp-workload-identity-federation-supported-for-bigquery/m-p/142552#M51970 Hubert-Dudek 2025-12-25T16:35:01Z