Alteryx Designer Desktop Discussions

lzanotti · ‎09-23-2024

hi community,

I have a question around the connectivity of Alteryx using the Workload Identity federation for Big Query.

Bit of a background: we are currently using a Simba ODBC for BigQuery to connect to Alteryx. We are using the standard Input Output tool and the performance stability of the gallery is great. However we originally set it up using the Service Authentication OAuth Mechanism.

I just wonder if we should use the Workload Identity federation as explained by Google Big Query as most secure way to connect?
https://cloud.google.com/iam/docs/workload-identity-federation?_gl=1*19pykcm*_ga*MTQzNjY5MTY2NS4xNjk...

And if anyone can share any documentation tips in order to use this?
Obviously we wish to keep if possible the same way we run the workflow for each user in Designer and when they deploy using the Alteryx Service Account to run in the Gallery.

Thanks
Luca

apathetichell · ‎09-23-2024

Is your server a GCP, AWS or (hopefully not) Azure VM? If so - yes you can use that workfload identity federation (or straight up CLI) BUT you will need to run all your BQ Alteryx things via Gcloud CLI or Python- not Alteryx tools. Alteryx tools do not support external connections for cloud services (ie the connection is handled at the environment -> cloud level vs the Alteryx to cloud level). This is semi-standard.

So your new workflow would be:

Alteryx runs script (let's say Python) to connect to BQ and run query. Python tool outputs DF to Alteryx workflow for processing.

Also - yes. federated/workload/oidc is safer than static credential authentication.

Alteryx Designer Desktop Discussions

Simba ODBC Big Query Workload Identity Federation