Skip to content

Google authentication

Jump to bottom
dbeaver-devops edited this page Apr 14, 2026 · 20 revisions

Note: This feature is available in Enterprise and AWS editions only.

Table of contents

Google OAuth 2.0 is an open standard for access delegation. It lets users log in to CloudBeaver using their Google account and enables single sign-on (SSO).

For details, see the Google Identity documentation.

Prerequisites

Make sure you have:

  • A Google account with access to Google Cloud Console.
  • An OAuth 2.0 application configured in Google Cloud.

Configuration steps

Enable Google authentication

  1. As an administrator, go to Settings -> Server Configuration
  2. Find and activate the Google option in the Configuration section.

Tip: For more information on Server Configuration, see Server configuration administration.

Note: To use cloud-hosted databases or Google Cloud Storage, also enable the Cloud (Google) and Cloud Storage checkboxes.

Add an identity provider

  1. As an administrator, navigate to Settings -> Identity Providers

  2. Click + Add

  3. Fill in the following fields:

    Field Description
    Provider type Select Google from the dropdown menu.
    ID Enter a unique identifier for this configuration.
    Configuration name Enter a descriptive name for this configuration.
    Description (Optional) Provide a brief description of this identity provider.
    Icon URL (Optional) Enter the URL of an icon to represent this provider in the UI.
    Disabled (Optional) Leave unchecked to enable this identity provider.
    Client ID Enter the client ID from your Google OAuth 2.0 application.
    Client secret Enter the client secret from your Google OAuth 2.0 application.
    Add custom scopes (Optional) Enable to specify additional OAuth scopes. Required for Google Cloud integration.
    Read user info (Optional) Retrieves user profile data using the userinfo endpoint.
    Custom scopes (Optional) Additional OAuth scopes. Use ; as a delimiter. Required for Google Cloud integration. See supported scopes
    Name of an AWS role claim (Optional) The name of the AWS role claim used for AWS authorization.

  4. Copy the redirect link:

    1. Copy the Redirect link.
    2. Add it to your Google OAuth 2.0 application. For instructions, see Set a redirect URI.

Login

  1. Once configuration is complete, go to the login screen.
  2. Select the Federated authentication method labeled with the Configuration name you specified.
  3. Log in with your Google account to verify the integration works.

Tip: Once configured, users can access GCP databases and Google Cloud Storage without additional credentials. For more details, see Pass-through authentication.

Configure Google Cloud scopes

To enable Google Cloud integration:

  1. Enable the Add custom scopes checkbox.

  2. Add the following scopes, separated by ;:

       https://www.googleapis.com/auth/spanner.admin;https://www.googleapis.com/auth/bigquery;https://www.googleapis.com/auth/cloud-platform;https://www.googleapis.com/auth/devstorage.full_control
    Scope Description
    spanner.admin Manage Spanner databases.
    bigquery View and manage data in Google BigQuery.
    cloud-platform Access GCP and read the list of available databases.
    devstorage.full_control Manage BigQuery data in Google Cloud Storage.

    Note: cloud-platform and devstorage.full_control are restricted scopes in Google's OAuth sensitivity model. Using them may require your Google Cloud project to go through Google's verification process before they work in production. For details, see Google's OAuth API verification FAQ.

  3. Save the configuration and re-login to apply the new scopes.

  4. Verify the integration:

    • Open Cloud Explorer in the connection creation menu - you should see your GCP project and its databases.
    • Open Cloud Storage - you should see your Cloud Storage buckets.

CloudBeaver - Web Database Manager

CloudBeaver Documentation

Clone this wiki locally