Using a Google Cloud Service Account with Analytics Canvas
The recommended method for accessing Google BigQuery and Google Cloud Storage within applications is to use a Google Cloud Service Account, which belongs to an application rather to an individual user.
This article shows you how to generate your Service Account and provide access to your Google Cloud Platform services within Analytics Canvas.
Following this process you will create an account and a file that contains credentials to access your Google Cloud services. The credentials will be stored on your machine, within your instance of Analytics Canvas. The credentials are not accessible by anyone else, within your organization, or outside of it.
You may share the credentials with users within your organization or with your agency. The credentials only need to be created once, however each user will need to apply the credentials to their own instance of Analytics Canvas.
Before You Begin
The Analytics Canvas platform is available through Desktop, Server, and Online (browser based) modes and you may use one or more of these modes to access BigQuery and Google Cloud Storage. If you are using only On-Premise (Desktop + Server) OR Online, follow the headings that are relevant for the service you are using.
Certain APIs must be authorized with your Google Cloud Platform Project before you can create a Service Account and use it to access BigQuery or Google Cloud Storage.
In order to continue, you will need access to the Google Cloud Console for your organization, and the specific Project or Projects that you will be working on. Specifically, you will need the ability to create Service Accounts and grant access to Google BigQuery and Google Cloud Storage. If you do not have access, share this article with someone who does.
- To see and display your projects and the permissions associated with your Service Account, the Cloud Resource Manager API
- If you will be connecting to BigQuery, the BigQuery API must be enabled
- If you will be connecting to Cloud Storage, you must enable the Cloud Storage API
- You will need to know the name and ID of the Project(s) that contain the data you wish to access.
Once you have enabled the APIs above and noted the project info, you can proceed with the next steps.
Generating a Service Account for Analytics Canvas Desktop + Server
To use a Service Account with Analytics Canvas Desktop or Analytics Canvas Server, the service account must be created in your Google Cloud IAM console.
Creating a Google Cloud Platform Service Account
- In the Google Cloud Platform console, navigate to IAM & admin > Service accounts
- Select the Project that contains the datasets and / or storage buckets you wish to access. If you need to access more than 1 project, complete this step first, then add the service account to additional projects as shown later in this document.
Under Service Accounts, select "+ CREATE SERVICE ACCOUNT"
- Provide a name and description, then click CREATE
Getting a Service Account for Analytics Canvas Online
To use the Analytics Canvas BigQuery account, you must authorize the Service Account created for your subscription.
Find the Service Account under Admin > Access your own BigQuery
Setting Permissions for a Google Cloud Platform Service Account
Now that you have a Service Account, it must be given permission to perform certain tasks on the Google Cloud Platform. The following steps apply to both the Online and Desktop Editions.
- The Service Account needs permission to access data in your Project. Go to the Google Cloud Platform > IAM & Admin > IAM, then next to the service account created, select the Edit icon.
- BigQuery Data Editor - this allows users to read and write data to tables within datasets.
- BigQuery Job User - this allows users to run jobs, such as loading, exporting, querying, and copying data.
- Storage Admin - this allows users to read and write data to storage buckets within the project.
Click CONTINUE once you've selected the appropriate roles.
- A key file is a convenient way to import your settings into Analytics Canvas Desktop or Server. Create a key of type JSON, then click DONE.
You will see a warning message when you create a key - Canvas will store it securely on your machine.
Adding the Service Account to additional projects (optional):
- If you have additional accounts that you would like the Service Account to access:
- Copy the email address of the Service Account
- In Cloud Console, select the Project you wish to add the account
- Go to IAM, then click “+ADD”
- Select the roles you want the Service Account to have under that project (BigQuery Job User, BigQuery Data Editor, and Storage Admin)
- Repeat steps a. through d. for each Project you wish to access with Analytics Canvas
Authorizing Analytics Canvas Online to use your Service Account
No additional steps are required. Once you have provided the appropriate access to the Service Account for your subscription, it just takes a few minutes before you can access your BigQuery account to both read and write data.
Authorizing Analytics Canvas Desktop + Server to use your Service Account
- In Analytics Canvas, navigate to Accounts > Authorize New Account > Google Cloud Platform.
- Import your private key (JSON file)
- If the last line in the text box does not say “Service Account Valid”, wait 60 seconds and click Verify to have Canvas test the account to ensure it has appropriate permissions to access your data. Once it is valid, click “Create Credential"
Once the credential is created, you are now able to use the services you authorized (BigQuery and / or Cloud Storage). If you run into any issues at all, please contact firstname.lastname@example.org.