OAuth credentials not retained in GCP Cloud DataLab

[jakebiesinger-onduo]

In our org, for audit purposes data access must be associated with a human when it is not part of an automated process. While end-user creds work fine for some magics, the DataLab magics seem to reject these credentials and fall back on service account creds.

Using pydata-google-auth, within a GCP DataLab instance, I can replace non-Datalab magics with OAuth credentials:

!pip install --upgrade "six>=1.13.0" pydata-google-auth google-cloud-bigquery[pandas]

import pydata_google_auth
credentials = pydata_google_auth.get_user_credentials(
    ['https://www.googleapis.com/auth/cloud-platform'],
)
from google.cloud import bigquery
client = bigquery.Client(project='some-project', credentials=credentials)

%load_ext google.cloud.bigquery 

from google.cloud.bigquery import magics
magics.context.credentials = credentials

Yay, now my credentials are working for normal magics!

%%bigquery SELECT * FROM `my-project.foo.bar`

But replacing the datalab Context credentials doesn't stick:

from google.datalab import Context
context = Context.default() 
context.set_credentials(credentials)
print(context.credentials)  # --> google.oauth2.credentials.Credentials

%bq execute --query num_records

--> Access denied to service account

And the default credentials have been replaced back to a service account creds:

print(context.credentials) # -->  google.auth.compute_engine.credentials.Credentials

I understand that datalab expects service account credentials. Are user credentials completely unsupported?