I have followed the instructions in https://developers.google.com/bigquery/authorization#service-accounts-appengine to make some queries from app engine to bigquery.

In the step 2, I click on Team in Google Api Console and it redirects to App Engine > Administration > Permissions. I add the service account name as Email and as a role I select developer (the option "can edit" is not available), and then click "Invite user". After that, appears a message: "An email was sent to [email protected] for verification." and the status is Pending. How I could confirm the email?, seems there is a bug here...

Next, I made a test using the following code:

#!/usr/bin/env python
import httplib2
import webapp2
from google.appengine.api import memcache
from apiclient.discovery import build
from google.appengine.ext import webapp
from google.appengine.ext.webapp.util import run_wsgi_app
from oauth2client.appengine import AppAssertionCredentials 

# BigQuery API Settings
PROJECT_NUMBER        = 'XXXXXXXX' 

credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/bigquery')
http        = credentials.authorize(httplib2.Http(memcache))
service     = build("bigquery", "v2", http=http)

class MainHandler(webapp2.RequestHandler):
    def get(self):
        query     = {'query':'SELECT word,count(word) AS count FROM publicdata:samples.shakespeare GROUP BY word;',
                     'timeoutMs':10000}
        jobRunner = service.jobs()
        reply     = jobRunner.query(projectId=PROJECT_NUMBER,body=query).execute()
        self.response.out.write(reply)

app = webapp2.WSGIApplication([
    ('/', MainHandler)
], debug=True)

And the reply was (running from google):

HttpError: <HttpError 403 when requesting https://www.googleapis.com/bigquery/v2/projects/XXXXXXXX/queries?alt=json returned "Access Denied: Job YYYYYYYY:job_e57bdde0144c495dbc864ccbfb82b704: RUN_QUERY_JOB">

If I test from localhost, the answer is:

HttpError: <HttpError 401 when requesting https://www.googleapis.com/bigquery/v2/projects/XXXXXXXX/queries?alt=json returned "Invalid Credentials">

Someone could help me? :-)

You can add the [email protected] to the project at http://cloud.google.com/console.

Expect this to be easier/ more straightforward soon!

Step by step, by @Christian:

1. Go to App Engine Dashboard of your application, click on Application Settings and copy the service account name ([email protected])
2. Go to http://cloud.google.com/console
3. Select your project
4. Click on gear icon and select Teams
5. Click on Add member
6. Paste the service account name and select can edit permission, then click on add.
7. Have fun!

Actually there are two areas from where you can add an account. If you go with old console code.google.com/api/console it would take you to your appengine.google.com dashboard i.e "Way-1" which actually has some problem of asking "Verification". The new https://cloud.google.com/console has solved this problem.

• [Way-1] *Problemtic* hit http://appengine.google.com ==> your_app_name> ==> Permissions

• [Way-2] *Works* hit http://cloud.google.com/console ==> Click your_app_name ==> Click Permissions on Left Pane ==> Click Add Member Button and add i.e [email protected] with "Can Edit" rights

"If you already have added your account via Way-1 Follow below method"

"Way-1" seems to have some problem due to this your account will keep showing "Pending Status". If somehow you have added the account via Way-1 and try to follow "Way-2" afterwards you would keep seeing the same status at way-2 link. For it you'll have to delete that user with "delete icon" which appears on mouse hover. Delete the account from there and add [email protected] with "Can Edit" permission.