stage: PR-2259: a6f4537e986b34d745fffc015467e77f4f12c061

previews/PR-2259/llms-full.txt

@@ -6970,6 +6970,13 @@ intend to run. Common roles include `roles/bigquery.user` (which includes
 permissions to run jobs and read data) or `roles/bigbigquery.dataViewer`.
 Follow this [guide][set-adc] to set up your ADC.
 
+If you are running on Google Compute Engine (GCE) or Google Kubernetes Engine
+(GKE), you might need to explicitly set the access scopes for the service
+account. While you can configure scopes when creating the VM or node pool, you
+can also specify them in the source configuration using the `scopes` field.
+Common scopes include `https://www.googleapis.com/auth/bigquery` or
+`https://www.googleapis.com/auth/cloud-platform`.
+
 ### Authentication via User's OAuth Access Token
 
 If the `useClientOAuth` parameter is set to `true`, Toolbox will instead use the
@@ -7000,6 +7007,9 @@ sources:
     #   - "my_dataset_1"
     #   - "other_project.my_dataset_2"
     # impersonateServiceAccount: "service-account@project-id.iam.gserviceaccount.com" # Optional: Service account to impersonate
+    # scopes: # Optional: List of OAuth scopes to request.
+    #   - "https://www.googleapis.com/auth/bigquery"
+    #   - "https://www.googleapis.com/auth/drive.readonly"
 ```
 
 Initialize a BigQuery source that uses the client's access token:
@@ -7016,6 +7026,9 @@ sources:
     #   - "my_dataset_1"
     #   - "other_project.my_dataset_2"
     # impersonateServiceAccount: "service-account@project-id.iam.gserviceaccount.com" # Optional: Service account to impersonate
+    # scopes: # Optional: List of OAuth scopes to request.
+    #   - "https://www.googleapis.com/auth/bigquery"
+    #   - "https://www.googleapis.com/auth/drive.readonly"
 ```
 
 ## Reference
@@ -7028,6 +7041,7 @@ sources:
 | writeMode                 |  string  |    false     | Controls the write behavior for tools. `allowed` (default): All queries are permitted. `blocked`: Only `SELECT` statements are allowed for the `bigquery-execute-sql` tool. `protected`: Enables session-based execution where all tools associated with this source instance share the same [BigQuery session](https://cloud.google.com/bigquery/docs/sessions-intro). This allows for stateful operations using temporary tables (e.g., `CREATE TEMP TABLE`). For `bigquery-execute-sql`, `SELECT` statements can be used on all tables, but write operations are restricted to the session's temporary dataset. For tools like `bigquery-sql`, `bigquery-forecast`, and `bigquery-analyze-contribution`, the `writeMode` restrictions do not apply, but they will operate within the shared session. **Note:** The `protected` mode cannot be used with `useClientOAuth: true`. It is also not recommended for multi-user server environments, as all users would share the same session. A session is terminated automatically after 24 hours of inactivity or after 7 days, whichever comes first. A new session is created on the next request, and any temporary data from the previous session will be lost. |
 | allowedDatasets           | []string |    false     | An optional list of dataset IDs that tools using this source are allowed to access. If provided, any tool operation attempting to access a dataset not in this list will be rejected. To enforce this, two types of operations are also disallowed: 1) Dataset-level operations (e.g., `CREATE SCHEMA`), and 2) operations where table access cannot be statically analyzed (e.g., `EXECUTE IMMEDIATE`, `CREATE PROCEDURE`). If a single dataset is provided, it will be treated as the default for prebuilt tools. |
 | useClientOAuth            |   bool   |    false     | If true, forwards the client's OAuth access token from the "Authorization" header to downstream queries. **Note:** This cannot be used with `writeMode: protected`.                                                                                                                                                                                                                                                                                                                                                |
+| scopes                    | []string |    false     | A list of OAuth 2.0 scopes to use for the credentials. If not provided, default scopes are used.                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | impersonateServiceAccount |  string  |    false     | Service account email to impersonate when making BigQuery and Dataplex API calls. The authenticated principal must have the `roles/iam.serviceAccountTokenCreator` role on the target service account. [Learn More](https://cloud.google.com/iam/docs/service-account-impersonation)                                                                                                                                                                                                                                |
 
 
@@ -13262,6 +13276,8 @@ See [Usage Examples](../reference/cli.md#examples).
     *   `BIGQUERY_LOCATION`: (Optional) The dataset location.
     *   `BIGQUERY_USE_CLIENT_OAUTH`: (Optional) If `true`, forwards the client's
         OAuth access token for authentication. Defaults to `false`.
+    *   `BIGQUERY_SCOPES`: (Optional) A comma-separated list of OAuth scopes to
+        use for authentication.
 *   **Permissions:**
     *   **BigQuery User** (`roles/bigquery.user`) to execute queries and view
         metadata.