Using a Google Cloud Service Account with Analytics Canvas
The recommended method for accessing Google BigQuery and Google Cloud Storage within applications is to use a Google Cloud Service Account, which belongs to an application rather to an individual user.
This article shows you how to generate your Service Account and provide access to your Google Cloud Platform services within Analytics Canvas.
Following this process you will create an account and a file that contains credentials to access your Google Cloud services. The credentials will be stored on your machine, within your instance of Analytics Canvas. The credentials are not accessible by anyone else, within your organization, or outside of it.
You may share the credentials with users within your organization or with your agency. The credentials only need to be created once, however each user will need to apply the credentials to their own instance of Analytics Canvas.
Before You Begin
Certain APIs must be authorized with your Google Cloud Platform account before you can create a Service Account and use it to access BigQuery or Google Cloud Storage.
In order to continue, you will need access to the Google Cloud Console for your organization, including the ability to create Service Accounts and grant access to Google BigQuery and Google Cloud Storage. If you do not have access, share this article with someone who does.
- To see and display your projects and the permissions associated with your Service Account, the Cloud Resource Manager API
- If you will be connecting to BigQuery, the BigQuery API must be enabled
- If you will be connecting to Cloud Storage, you must enable the Cloud Storage API
- You will need to know the name and ID of the Project(s) that contain the data you wish to access.
Once you have enabled the APIs above and noted the project info, you can proceed with the next steps.
Creating a Google Cloud Platform Service Account
- In the Google Cloud Platform console, navigate to IAM & admin > Service accounts
- Select the Project that contains the datasets and / or storage buckets you wish to access. If you need to access more than 1 project, complete this step first, then add the service account to additional projects as shown later in this document.
Under Service Accounts, select "+ CREATE SERVICE ACCOUNT"
- Provide a name and description, then click CREATE
- The Service Account needs permission to access data in your Project. Under Roles (found in the AIM & admin menu on the left), create the appropriate permissions for your use of Analytics Canvas. We recommend the following:
- BigQuery Data Editor - this allows users to read and write data to tables within datasets.
- BigQuery Job User - this allows users to run jobs, such as loading, exporting, querying, and copying data.
- Storage Admin - this allows users to read and write data to storage buckets within the project.
Click CONTINUE once you've selected the appropriate roles.
- A key file is a convenient way to import your settings into Analytics Canvas. Create a key of type JSON, then click DONE.
You will see a warning message when you create a key - Canvas will store it securely on your machine.
Adding the Service Account to additional projects (optional):
- If you have additional accounts that you would like the Service Account to access:
- Copy the email address of the Service Account
- In Cloud Console, select the Project you wish to add the account
- Go to IAM, then click “+ADD”
- Select the roles you want the Service Account to have under that project (BigQuery Job User, BigQuery Data Editor, and Storage Admin)
- Repeat steps a. through d. for each Project you wish to access with Analytics Canvas
Authorizing Analytics Canvas to use your Service Account
- In Analytics Canvas, navigate to Accounts > Authorize New Account > Google Cloud Platform.
- Import your private key (JSON file)
- If the last line in the text box does not say “Service Account Valid”, wait 60 seconds and click Verify to have Canvas test the account to ensure it has appropriate permissions to access your data. Once it is valid, click “Create Credential"
Once the credential is created, you are now able to use the services you authorized (BigQuery and / or Cloud Storage). If you run into any issues at all, please contact firstname.lastname@example.org.