Using a Google Cloud Service Account with Analytics Canvas
The recommended method for accessing Google BigQuery and Google Cloud Storage within applications is to use a Google Cloud Service Account, which belongs to an application rather to an individual user. This article shows you how to access your Google Cloud Platform services using your Service Account for Analytics Canvas. With this access, you can query your GA4 Property and any other Projects that you authorize.
Accessing BigQuery with Analytics Canvas Online
To access your data in BigQuery, you must grant permission to the service account for your Analytics Canvas subscription.
You can limit access to specific Datasets or even specific tables within a BigQuery Project, and you can provide either Read-Only or Read/Write access to Datasets and Tables.
The steps outlined below show you how to permit a single Dataset or Table. You can either repeat the steps for each Dataset and Table you wish to access, or you can grant full permissions to the Service Account at the Project level in the IAM section of the Google Cloud Console.
To start with access to a Dataset or Table, follow the steps below:
- In Analytics Canvas Online, find the Service Account under Admin > Access your own BigQuery and copy it.
- Go to BigQuery and select either the Dataset or Table you wish to have access to in Analytics Canvas, then click Sharing and select Permissions.
- Add the Analytics Canvas Service account and assign it a Role.
- BigQuery Data Viewer is the lowest level of access that only allows users to Read from the Dataset or Table.
- BigQuery Data Editor is the minimum permission required to Write into a BigQuery Dataset or Table
- Go to https://console.cloud.google.com and login, then select the Project that contains the Dataset or Table you'd like to view in Canvas.
- From the menu on the left, go to IAM & Admin > IAM.
- On the IAM page, click +Grant Access
- Under New Principals, paste the service account address that was copied in step 1.
- Under Role, select the role that you require. BigQuery Read Session User is the lowest level of access required that allows you to see the Project, Dataset, and Tables in Analytics Canvas.
** To grant access to an entire Project instead of at the Dataset and Table level, set the role as BigQuery Data Editor at the Project level.
No additional steps are required. Once you have provided the appropriate access to the Service Account for your subscription, it just takes a few minutes before you can access your BigQuery account to both read and write data using Analytics Canvas Online.
In Analytics Canvas, if you authorized a dataset that is linked to a GA4 Property, you will see the property under both the Google Analytics connector for GA4 BigQuery, where you can use a wizard to generate the SQL for your query, and under the BigQuery SQL connector where you can write your own SQL.
If you run into any issues at all, please contact email@example.com.
Troubleshooting if you can't connect
Certain APIs must be authorized with your Google Cloud Platform Project before you can create a Service Account and use it to access BigQuery or Google Cloud Storage.
In order to continue, you will need access to the Google Cloud Console for your organization, and the specific Project or Projects that you will be working on. Specifically, you will need the ability to create Service Accounts and grant access to Google BigQuery and Google Cloud Storage. If you do not have access, share this article with someone who does.
- To see and display your projects and the permissions associated with your Service Account, enable the Cloud Resource Manager API
- If you will be connecting to BigQuery, the BigQuery API must be enabled
- If you will be connecting to Cloud Storage, you must enable the Cloud Storage API
- You will need to know the name and ID of the Project(s) that contain the data you wish to access.
- Make sure your Canvas is in the same BigQuery Region as the dataset you are trying to access. Find the region of your dataset within the BigQuery console by clicking on the dataset and reviewing the Dataset Info
In Canvas, create a region, then create a canvas within that region.
Once you have enabled the APIs above and verified the regions, repeat the steps above.