I have a desktop application running on Windows 11 that uses a service account to upload data continuously (a few Mbits per second) to Google BigQuery using the default stream of the storage write API. I want the upload to continue unattended for long periods (at least a few weeks) without needing to re-authenticate through user interaction.
What is the most secure way to ensure the upload can continue indefinitely without needing to use a private key to authenticate?
I can authenticate initially using Application Default Credentials (obtained via the Google gcloud CLI, using my google account credentials to login) and set the upload going, but after around 16 hours the uploading stops as it needs re-authentication. I think this is due to the Reauthentication policy in the Google Cloud session control of my Google account - this is set to Require reauthentication with a (recommended) period of 16 hours, I don’t want to change this for every app.
If I use a private key to authenticate, this behaviour doesn’t happen, the upload can continue indefinitely without needing reauthentication. However, I want to avoid using a private key if possible.
I have considered configuring a consent screen (https://developers.google.com/workspace/guides/configure-oauth-consent) for the app using Google Cloud APIs and services and create an outh client ID and secret associated with it and get the application default credentials using this client ID and secret. I could then make it a trusted app that doesn’t have to re-authenticate by ticking the “Exempt trusted apps” option in Google Cloud session control of my Google account. However, I also want to limit access to only the project associated with the service account, so I’m not sure if creating an outh client ID and secret for the app instead of using the service account is the right way to go and it seems that I have to open up access to more than I want.