The query finished running, but the data was no longer safe to show.
Sensitive columns sat in plain sight. Emails, phone numbers, IDs — all visible to anyone with access. That’s when we decided to use BigQuery data masking with Keycloak.
BigQuery gives you speed and scalability. Your tables can hold billions of records and still respond in seconds. But speed without control is risk. Data masking ensures that only the right people see the right data, even when they query the same dataset.
Keycloak adds identity and access management on top. It becomes the gatekeeper that knows who each user is, what role they have, and what they should see. When you connect Keycloak to BigQuery, you can enforce masking rules based on user attributes. Analysts can run their queries without ever touching raw sensitive information.
The workflow is simple. Create masking policies in BigQuery using SQL, choosing which fields to obfuscate and how. Link queries to roles, not individuals. Integrate with Keycloak for authentication and role assignment. When a user logs in, Keycloak hands BigQuery the role, and BigQuery applies the right masking automatically.
This approach solves two problems at once: compliance and trust. You meet data protection requirements without slowing down your teams. You keep sensitive details hidden, but your reports stay accurate and useful. The days of managing endless view definitions or duplicating datasets for different groups are over.
The real power is in auditability. Every access attempt is logged. Every masking rule can be updated centrally. You don’t have to trust that people will follow policy — the system enforces it by design.
Setting it up doesn’t have to be slow. With the right tools, you can connect BigQuery data masking with Keycloak in minutes, not days. You can see exactly how it works on a live system, with full role-based masking in place from the first query.
See it working, with your own eyes, in minutes at hoop.dev — and make your data both fast and safe.