Putting access controls around ChatGPT: production access for AI coding agents (on BigQuery)

How can you let a ChatGPT‑driven coding agent run queries against a production BigQuery warehouse while maintaining strict production access controls, without exposing credentials or losing visibility?

Today many teams hand a service account key to an AI worker and point it straight at the data lake. The key lives in the container image, the CI pipeline, or even a shared secrets manager. The agent can issue any SELECT, UPDATE or DELETE it wants, and there is no record of who asked for what, no way to block a dangerous DDL command, and no protection for personally identifiable information that might appear in query results.

What you really need is a production access control that still lets the AI write code, but forces every request to pass through a gate where identity, intent and data protection are verified. The gap remains: even if you federate the AI identity through OIDC, the request still travels directly to BigQuery. There is no inline approval step, no masking of sensitive columns, and no immutable audit trail of the session.

To close that gap you must place a Layer 7 gateway between the AI agent and the database. The gateway becomes the only place where policy can be enforced, and it can provide just‑in‑time (JIT) approval, real‑time column masking, command‑level blocking, and full session recording. The rest of the architecture, identity providers, service‑account provisioning, and network placement, remains unchanged.

Setup: identity and least‑privilege provisioning

The first step is to define a non‑human identity for the ChatGPT coding agent. Most organizations use an OIDC provider such as Okta, Azure AD or Google Workspace to issue short‑lived tokens. The token carries the agent’s group membership (for example, ai‑coding‑agents) and any custom claims that describe the intended environment (production vs. development).

Because the gateway never trusts a static credential, you can assign the service account only the BigQuery roles required for the specific workload, such as bigquery.dataViewer on the target dataset. The identity provider decides whether the token is valid; it does not enforce data‑plane policies. This separation ensures that a compromised token cannot be reused to bypass the gate.

The data path: why the gateway is the only enforcement point

When the AI agent initiates a query, the request is routed to the gateway instead of directly to BigQuery. The gateway terminates the protocol, inspects the SQL payload, and applies the policies you have defined. Because all traffic flows through this single point, you can guarantee that every command is subject to the same checks.

At this stage, hoop.dev becomes the enforcement engine. It reads the identity token, matches the agent’s group to a policy, and decides whether the request can proceed, needs human approval, or must be rejected outright. The gateway also knows the target resource (the BigQuery project and dataset) and can enforce resource‑level scoping.

Enforcement outcomes delivered by hoop.dev

• Just‑in‑time approval: If a query touches a production table flagged as high‑risk, hoop.dev pauses execution and creates an approval request. An authorized engineer can approve or deny the request from a web UI before any data is read.
• Inline data masking: When the result set contains columns marked as sensitive (PII, credit‑card numbers, etc.), hoop.dev redacts or tokenizes those fields on the fly, ensuring the AI never sees raw values.
• Command‑level blocking: Dangerous statements such as DROP TABLE or DELETE FROM … WHERE true are identified and blocked before they reach BigQuery.
• Session recording and replay: Every query, response and approval decision is captured. The recorded session can be replayed for forensic analysis or compliance audits.

All of these outcomes exist only because hoop.dev sits in the data path. If you removed the gateway, the AI would again have unfettered, unrecorded access.

Putting it together for ChatGPT on BigQuery

1. Register a new connection in the gateway that points to your BigQuery project. The connection stores the service‑account credential; the AI never sees it.

2. Define a policy that applies to the ai‑coding‑agents group. The policy should require JIT approval for any query that references production datasets, enable masking for columns marked as sensitive, and block DDL statements.

3. Deploy the gateway using the getting‑started guide. The deployment runs the gateway and the network‑resident agent near your BigQuery endpoint.

4. Configure the ChatGPT coding agent to obtain an OIDC token from your identity provider and use the standard BigQuery client libraries. The client will automatically route traffic through the gateway because the endpoint URL points to the gateway’s address.

From the AI’s perspective nothing changes – it still calls the BigQuery API – but every request is now subject to production access controls enforced by hoop.dev.

Why this model beats ad‑hoc secrets management

Traditional secret‑injection approaches give the AI a credential that can be copied, leaked or reused. They also leave you without a reliable audit trail. By moving the credential into the gateway, you achieve three core security goals:

• Zero‑knowledge credential handling: The AI never sees the private key or token, eliminating the risk of exfiltration.
• Policy as code at the wire level: All enforcement happens on the protocol, not in application code, which means you cannot accidentally bypass it by changing the client.
• Evidence for compliance: Recorded sessions, approval logs and masked outputs provide the artifacts auditors expect for production‑access reviews.

Getting started

All of the concepts described here are implemented in hoop.dev. The open‑source repository contains the Docker Compose quick‑start, Helm charts for Kubernetes, and detailed documentation on defining policies, masking rules and approval workflows. Follow the getting‑started guide to spin up a gateway in a test environment, then adapt the policy examples from the learn section to match your production requirements.

When you are ready to contribute or customize the gateway, the full source is available on GitHub.

Explore the hoop.dev repository to see the code, raise issues, or submit pull requests.

FAQ

Does hoop.dev store my BigQuery credentials?

No. The gateway holds the credential only in memory for the duration of a session. The AI agent never receives the secret.

Can I use hoop.dev with other AI models besides ChatGPT?

Yes. Any service that can obtain an OIDC token and speak the target protocol (SQL over HTTP, gRPC, etc.) can be placed behind the gateway.

How does masking affect query performance?

Masking is applied as the result set streams back to the client. The overhead is minimal and scales with the size of the rows being redacted.