[CT-2158] [Feature] Support Workload Identity Federation for Headless Authentication into BigQuery

[ernestoongaro]

Is this your first time submitting a feature request?

• [X] I have read the expectations for open source contributors
• [X] I have searched the existing issues, and I could not find an existing issue for this feature
• [X] I am requesting a straightforward extension of existing dbt-bigquery functionality, rather than a Big Idea better suited to a discussion

Describe the feature

Traditionally, applications running outside Google Cloud can use service account keys to access Google Cloud resources. However, service account keys are powerful credentials, and can present a security risk if they are not managed correctly.

With identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles, including the ability to impersonate service accounts. This approach eliminates the maintenance and security burden associated with service account keys.

Describe alternatives you've considered

Oauth is fine for developer authentication, but not great for something that will be scheduling the runs (like dbt Cloud)

Who will this benefit?

Any security-conscious GCP users

Are you interested in contributing this feature?

No response

Anything else?

Specifically this request is for use with Azure AD (which is OIDC compliant) but there are other schemes supported:

• AWS
• Azure Active Directory
• On-premises Active Directory Federation Services (AD FS)
• Okta
• Kubernetes clusters