Agent impersonation: what it means for your access reviews (on BigQuery)

Is your team sure that the access reviews for BigQuery actually reflect who ran each query? That question haunts many security and compliance groups because the answer is often “no.”

Most organizations grant service accounts wide‑range permissions on BigQuery and let automation agents or scripts run under those accounts. The agents are usually configured once and then reused for weeks or months. When a new engineer needs to run a report, they are handed the same credential or asked to invoke the same automation wrapper. The result is a shared identity that masks the real actor behind every query. If an attacker compromises the automation, they inherit the same privileged token and can issue arbitrary queries without leaving a trace tied to a human user.

Access reviews rely on the premise that each permission can be traced back to a distinct identity. When a privileged service account is used as a blanket credential, reviewers see a list of accounts with broad scopes but no visibility into which individual triggered a particular query. The review process therefore becomes a checklist of “does this account need these rights?” rather than an evidence‑based assessment of actual usage. Even if you tighten IAM policies, the request still travels directly to BigQuery, bypassing any point where you could verify the true caller or enforce additional controls.

The missing piece is a data‑path enforcement layer that can see the request, apply policy, and record the outcome before it reaches the target. Without such a layer, the setup, identity federation, least‑privilege roles, and service‑account provisioning, only decides who *may* start a connection. It does not guarantee that the connection is inspected, approved, or logged in a way that supports reliable access reviews. The request continues to flow straight to BigQuery, leaving the audit trail empty and the opportunity for impersonation unchecked.

hoop.dev fills that gap by acting as a Layer 7 gateway positioned between the identity provider and BigQuery. The gateway receives the user’s OIDC token, validates it, and then proxies the query to BigQuery on behalf of the user. Because the proxy sits in the data path, it is the only place where enforcement can happen. hoop.dev can require just‑in‑time approval for risky queries, block commands that match a deny list, and mask sensitive result fields in real time. Most importantly, hoop.dev records every session, tying each query to the original identity that presented the token.

When hoop.dev records a session, the log entry includes the user’s subject, the exact SQL statement, the time of execution, and the outcome of any policy check. Those records become the evidence that access‑review teams need: they can now answer “who ran this query, when, and was it approved?” without guessing. Because the gateway holds the credential for BigQuery, the agent never sees the underlying service‑account key, eliminating the avenue for credential leakage and subsequent impersonation.

The enforcement outcomes, session recording, inline masking, just‑in‑time approval, and command blocking, exist only because hoop.dev sits in the data path. If you removed the gateway, the same identity setup would revert to the original problem: a shared service account issuing untracked queries. In other words, hoop.dev is the active cause of the audit fidelity required for trustworthy access reviews.

Setting up this architecture still starts with proper identity configuration. You provision OIDC or SAML integration with your IdP, assign users to groups that reflect their data‑access needs, and create a least‑privilege service account for the gateway itself. Those steps constitute the **setup** layer: they decide who may request access, but they do not enforce any policy on their own.

The **data path** is the gateway itself, hoop.dev. All traffic to BigQuery passes through this component, where policy checks are applied.

The **enforcement outcomes**, recorded sessions, masked results, JIT approvals, and blocked commands, are produced exclusively by hoop.dev. Those outcomes give your access‑review process the concrete evidence it needs to validate that only authorized individuals are exercising privileged queries.

By inserting a gateway that both authenticates the caller and enforces policy at the protocol level, you turn a vague list of service‑account permissions into a transparent, auditable workflow. Access‑review teams can now trust the data they see, and security auditors can verify that the organization’s privileged‑access controls are actually being exercised as intended.

For a quick start, see the getting‑started guide and the broader learn section for deeper details on policy configuration. The full source code and contribution guidelines are available on GitHub.

FAQ

How does hoop.dev prevent an agent from seeing the BigQuery credential? The gateway stores the service‑account key internally and uses it only to forward approved queries. The agent never receives the key, so credential theft via the agent is impossible.

Will hoop.dev mask all data returned from BigQuery? Masking is policy‑driven. You define which result columns are considered sensitive, and hoop.dev redacts those fields in real time before they reach the client.

Can I still use existing BI tools with hoop.dev in front of BigQuery? Yes. Because hoop.dev proxies the standard BigQuery wire protocol, any client that speaks the protocol, whether it’s a BI dashboard, a notebook, or a custom script, continues to work unchanged.