BigQuery Service Account JSON Authentication not working with env_var

As in #2553 and #2989, this is quite difficult to debug at a distance, but here’s my best guess: The Could not deserialize key data error indicates that some character—often a newline—is added, missing, or in the wrong place.

Private keys contain many newlines, and they’re quite sensitive about them. In JSON, new lines in strings are represented via \n. When you download a JSON-formatted private keyfile from BigQuery, the private_key value will therefore contain \n.

However, when you’re passing the private_key value as a standalone string (not within a larger JSON blob), you need to replace all the instances of \n with a true newline. When setting the environment variable, you want to end up with something like:

export BQ_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
"

I’m not positive why var is working, while env_var is not working—I wasn’t able to replicate this!—but it’s possible that printing the env var out to CLI, then back in as an argument to --vars, replaces \n with newlines because it’s a bash string. I don’t think this reflects a functional difference between how dbt handles {{ var() }} vs. {{ env_var() }}.

If you’re still having trouble, or if you don’t care to manually edit the private key, you could also try passing the entire keyfile contents (as a JSON blob) into a single environment variable:

type: bigquery
method: service-account-json
...
keyfile_json: "{{ env_var('BQ_KEYFILE_JSON') | as_native }}"

Thanks, there must be some difference between env_var and var, as var works like a charm with the same complex key.