Authentication :: Service Account (Using Private Key File) [OAuth]
Contents
Description
No description available
Instructions
Use these steps to authenticate as service account rather than Google / GSuite User. Learn more about service account here Basically to call Google API as Service account we need to perform following steps listed in 3 sections (Detailed steps found in the help link at the end)Create Project
First thing is create a Project so we can call Google API. Skip this section if you already have Project (Go to next section)- Go to Google API Console
- From the Project Dropdown (usually found at the top bar) click Select Project
- On Project Propup click CREATE PROJECT
- Once project is created you can click Select Project to switch the context (You can click on Notification link or Choose from Top Dropdown)
- Click ENABLE APIS AND SERVICES
- Now we need to Enable two APIs one by one (BigQuery API and Cloud Resource Manager API).
- Search BigQuery API. Select and click ENABLE
- Search Cloud Resource Manager API. Select and click ENABLE
Create Service Account
Once Project is created and APIs are enabled we can now create a service account under that project. Service account has its ID which looks like some email ID (not to confuse with Google /Gmail email ID)- Go to Create Service Account
- From the Project Dropdown (usually found at the top bar) click Select Project
- Enter Service account name and Service account description
- Click on Create. Now you should see an option to assign Service Account permissions (See Next Section).
Give Permission to Service Account
By default service account cant access BigQuery data or List BigQuery Projects so we need to give that permission using below steps.- After you Create Service Account look for Permission drop down in the Wizard.
- Choose BigQuery -> BigQuery Admin role so we can read/write data. (NOTE: If you just need read only access then you can choose BigQuery Data Viewer)
- Now choose one more Project -> Viewer and add that role so we can query Project Ids.
- Click on Continue. Now you should see an option to Create Key (See Next Section).
Create Key (P12)
Once service account is created and Permission is assigned we need to create key file.- In the Cloud Console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, then click Create new key.
- Click Create and select P12 format. A P12 key file is downloaded to your computer. We will use this file in our API connection.
- Click Close.
- Now you may use downloaded *.p12 key file as secret file and Service Account Email as Client ID (e.g. some_name@some_name.iam.gserviceaccount.com).
Manage Permissions / Give Access to Other Projects
We saw how to add permissions for Service Account during Account Creation Wizard but if you ever wish to edit after its created or you wish to give permission for other projects then perform forllowing steps.- From the top Select Project for which you like to edit Permission.
- Go to IAM Menu option (here)
Link to IAM: https://console.cloud.google.com/iam-admin/iam - Goto Permissions tab. Over there you will find ADD button.
- Enter Service account email for which you like to grant permission. Select role you wish to assign.
Parameters
Parameter | Label | Required | Options | Description | Help | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ClientId | Service Account Email | YES |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PrivateKeyPath | P12 Service Account Private Key Path (i.e. *.p12) | YES |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Scope | Scope | NO |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ProjectId | ProjectId | YES |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DatasetId | DatasetId (Choose after ProjectId) | YES |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RetryMode | RetryMode | NO |
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RetryStatusCodeList | RetryStatusCodeList | NO |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RetryCountMax | RetryCountMax | NO |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RetryMultiplyWaitTime | RetryMultiplyWaitTime | NO |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Location | Job Location | NO |
|
|