Using a Google Cloud Service Account with Analytics Canvas
The Analytics Canvas platform is available through Desktop, Server, and Online (browser based) modes and you may use one or more of these modes to access BigQuery and Google Cloud Storage.
The recommended method for accessing Google BigQuery and Google Cloud Storage within applications is to use a Google Cloud Service Account, which belongs to an application rather to an individual user.
This article shows you how to generate or find your Service Account and how to provide access to your Google Cloud Platform services.
If you are using only On-Premise (Desktop + Server), find the instructions here. See below for instructions using Analytics Canvas Online.
You may need to enable certain Google Cloud services before you can connect. If you run into difficulty, review the "Troubleshooting" section of this article.
Accessing BigQuery with Analytics Canvas Online
To access your own BigQuery account, you must grant permission to the service account for your Analytics Canvas subscription.
- In Analytics Canvas Online, find the Service Account under Admin > Access your own BigQuery and copy it.
- Go to https://console.cloud.google.com and login. From the menu on the left, go to IAM & Admin > IAM and click +ADD
- Under New Members, paste the service account address that was copied in step 1.
- Add the following three roles: BigQuery Job User, BigQuery Data Editor, and Storage Admin, then click SAVE.
No additional steps are required. Once you have provided the appropriate access to the Service Account for your subscription, it just takes a few minutes before you can access your BigQuery account to both read and write data using Analytics Canvas Online.
If you run into any issues at all, please contact email@example.com.
Generating a Service Account for Analytics Canvas Desktop + Server
Following this process you will create an account and a file that contains credentials to access your Google Cloud services. The credentials will be stored on your machine, within your instance of Analytics Canvas. The credentials are not accessible by anyone else within your organization or outside of it.
You may share the credentials with users within your organization or with your agency. The credentials only need to be created once, however each user will need to apply the credentials to their own instance of Analytics Canvas.
To use a Service Account with Analytics Canvas Desktop or Analytics Canvas Server, the service account must be created in your Google Cloud IAM console.
Creating a Google Cloud Platform Service Account
- In the Google Cloud Platform console, navigate to IAM & admin > Service accounts
- Select the Project that contains the datasets and / or storage buckets you wish to access. If you need to access more than 1 project, complete this step first, then add the service account to additional projects as shown later in this document.
Under Service Accounts, select "+ CREATE SERVICE ACCOUNT"
- Provide a name and description, then click CREATE
- The Service Account needs permission to access data in your Project. We recommend the following which can be easily found using the search filter:
- BigQuery Data Editor - this allows users to read and write data to tables within datasets.
- BigQuery Job User - this allows users to run jobs, such as loading, exporting, querying, and copying data.
- Storage Admin - this allows users to read and write data to storage buckets within the project.
Click CONTINUE once you've selected the appropriate roles, then click DONE.
- A key file is a convenient way to import your service account credentials into Analytics Canvas Desktop or Server. In the Navigation Menu, go back to IAM & Admin > Service Accounts. Under the Actions column, click the three dots next to the service account that was just created, then click Create Key.
You will see a warning message when you create a key reminding you to store it securely.
Adding the Service Account to additional projects (optional):
- If you have additional projects that you would like the Service Account to access:
- Copy the email address of the Service Account
- In Cloud Console, select the Project you wish to add the account
- Go to IAM, then click “+ADD”
- Select the roles you want the Service Account to have under that project (BigQuery Job User, BigQuery Data Editor, and Storage Admin)
- Repeat steps a. through d. for each Project you wish to access with Analytics Canvas
Authorizing Analytics Canvas Desktop + Server to use your Service Account
- In Analytics Canvas, navigate to Accounts > Authorize New Account > Google Cloud Platform.
- Click Import Key JSON File and navigate to the JSON key that was saved to your machine.
- If the last line in the text box does not say “Service Account Valid”, wait 60 seconds and click Verify to have Canvas test the account to ensure it has appropriate permissions to access your data. Once it is valid, click “Create Credential"
Once the credential is created, you will be able to use the services you authorized (BigQuery and / or Cloud Storage). If you run into any issues at all, please contact firstname.lastname@example.org.
Troubleshooting if you can't connect
Regardless of which mode you use, certain APIs must be authorized with your Google Cloud Platform Project before you can create a Service Account and use it to access BigQuery or Google Cloud Storage.
In order to continue, you will need access to the Google Cloud Console for your organization, and the specific Project or Projects that you will be working on. Specifically, you will need the ability to create Service Accounts and grant access to Google BigQuery and Google Cloud Storage. If you do not have access, share this article with someone who does.
- To see and display your projects and the permissions associated with your Service Account, enable the Cloud Resource Manager API
- If you will be connecting to BigQuery, the BigQuery API must be enabled
- If you will be connecting to Cloud Storage, you must enable the Cloud Storage API
- You will need to know the name and ID of the Project(s) that contain the data you wish to access.
Once you have enabled the APIs above, repeat the steps above under Online or Desktop/Server to connect to your Google Cloud services.