What is Google Clouds principle for granting access to users select the correct answer?

Create and configure a service account to access data on behalf of Looker Studio.

Note: 

• This article is intended for service account administrators. To learn how to use an existing service account in your data source, see Data credentials.
• Service account credentials are currently available only for BigQuery data sources.

Instead of delegating access using owner's credentials, or requiring individual report viewers to have access to the data using viewer's credentials, Looker Studio can use a service account to access data. A service account is a special type of Google account that is intended to represent a non-human user that can authenticate and be authorized to access data in Google APIs and products.

To use a service account with Looker Studio, you add your organization's Looker Studio service agent as a user (principal) on the account. This gives you control over which service accounts can be used with Looker Studio, while ensuring that the users in your organization can easily access the data they need.

Using a service account instead of an individual user's credentials provides these benefits:

• Data sources using service account credentials won't break if the creator leaves your company.
• Service account credentials support access to data located behind VPC Service Controls perimeters that use device policies.
• Automated features like scheduled email and scheduled data extracts work with data sources that are behind a VPC Service Controls perimeter.

Learn more about service accounts.

We recommend that you create new service accounts that are solely for use with Looker Studio. For example, you can create separate service accounts dedicated for marketing, sales, and engineering teams to use with Looker Studio.

In this article:

• Before you begin
• Setup instructions
• Provide the Looker Studio service account(s) to your Looker Studio users
• Edit a data source that uses service account credentials
• See who is using the service account to access data
• Errors
• Limits
• Related resources

Before you begin

• To set up a service account, you need to have Service Account Admin (roles/iam.serviceAccountAdmin) or Create Service Accounts (roles/iam.serviceAccountCreator) role on your Google Cloud project. Learn more about service account roles.
• To get the Looker Studio service agent, you must be a Workspace or Cloud Identity user.

Setup instructions

You only need to perform the instructions in this article once unless you want to create different service accounts for different teams or groups of users. To create multiple accounts, repeat these instructions for each additional account.

Get the Looker Studio service agent

To allow the service account to access your data, you'll need to provide the Looker Studio service agent for your organization. You can get the service agent from a help page in Looker Studio:

1. Navigate to the Looker Studio service agent help page.
2. Copy the service agent email address shown on that page.

Create a service account for Looker Studio

Instructions on creating a service account can be found in the Google Cloud IAM documentation. You can use either the Cloud console or the Cloud Shell command line to create the service account.

Use Cloud console

Step 1: Create a new service account

2. Select a project.

3. Enter a service account name to display in the Cloud console.

   The Cloud console generates a service account ID based on this name. Edit the ID now if necessary. You can't change the ID later.

4. Optional: Enter a description for the service account.

5. Click CREATE AND CONTINUE.
   

6. In step 2, Grant this service account access to project, grant the BigQuery Job User IAM role to the service account.
   
7. Click Continue.
8. In the Service account users role field, add the users who can use this service account to provide credentials for their data sources. If you're not ready to add users now, you can do so later by following the directions in Step 3: Grant user roles below.
9. Click DONE to save the service account and return to the service accounts list page for your project.

Step 2: Allow the Looker Studio service agent to access your service account

1. Return to the Cloud console service accounts list.
2. Select the Looker Studio service account that you just created by clicking it in the list.
3. At the top, click PERMISSIONS.
4. Click
   GRANT ACCESS.
5. On the right, in Add principals to , paste the Looker Studio service agent email (which you copied in step 1 above) into the New principals box.
6. Select a role that gives the service agent the iam.serviceAccount.getAccessToken permission. For example, you can use the Service Account Token Creator role, but you can also use any custom role that grants this permission.
7. Click SAVE.

Tip: Your service agent's address uses the format service-account@.iam.gserviceaccount.com. If you know your project ID, you can construct the address manually.

Step 3: Grant user roles

Note: This step is optional if you already added Looker Studio users while creating the service account, as described in step 1 above.

Looker Studio users who will create or edit data sources need to be granted a role that includes the iam.serviceAccounts.actAs permission, such as the Service Account User role (roles/iam.serviceAccountUser). You can grant this role on the project or on an individual service account, but we recommend that you grant the role on the service account only. For instructions, see Managing service account impersonation.

Tip: If you're not ready to complete this step, you can come back to it later.

Tip: We recommend that you do NOT grant non-service agent users the Service Account Token Creator role — it is not needed for Looker Studio.

Note: Users who will only view Looker Studio reports don't need to have permissions on the service account.

1. Navigate to the Cloud console service accounts list.
2. Select your Looker Studio service account by clicking it in the list.
3. At the top of the page, click PERMISSIONS.
4. Click
   GRANT ACCESS.
5. On the right, in Add principals and roles for , enter the email addresses of your users in the New principals box.
6. Select the Service Account User role.
7. Click SAVE.

Step 4: Enable the service account to access your BigQuery data

To allow Looker Studio to access your data, grant the BigQuery Data Viewer role to the service account at the table or dataset level.

Note: We don't recommend granting service account access at the project level.

To grant access to a table:

1. Navigate to the Cloud console service accounts list.
2. Copy the Looker Studio service account email address.
3. Navigate to BigQuery and open a project.
4. Expand a dataset by clicking .
5. Select a table.
6. In the toolbar, click
   SHARE.
7. In the panel that opens on the right, click
   ADD PRINCIPAL.
8. In the New principals box, paste the Looker Studio service account email address.
9. Select the BigQuery Data Viewer role.
10. Click SAVE.

To grant access to a dataset:

1. Navigate to the Cloud console service accounts list.
2. Copy your Looker Studio service account email address.
3. Navigate to BigQuery, open a project, then locate the dataset.
4. To the right of the dataset name, click View actions .
5. Click Open.
6. In the toolbar, click
   SHARING > Permissions.
7. In the panel that opens on the right, click
   ADD PRINCIPAL.
8. In the New principals box, paste the Looker Studio service account email address.
9. Select the BigQuery Data Viewer role.
10. Click SAVE.

Use Cloud Shell

Step 1: Create a new service account

Follow the general steps listed under gcloud in Creating and managing service accounts.

1. Open the Cloud Shell.
2. Select a project if necessary.
3. To create the service account, run the gcloud iam service-accounts create command. You can use whatever account name, description, and display-name you choose.

   
   Example:

   gcloud iam service-accounts create datastudio_service_account \
--description="Use for Looker Studio access to BigQuery" \
--display-name="DS_BQ"

1. To access BigQuery data on the Google Cloud project you want to use with Looker Studio, give the service account the bigquery.jobs.create permission. You can grant the BigQuery Job User IAM role to give this permission.

   In addition, give the service account bigquery.tables.getData and bigquery.tables.get permissions on the project or data set you want to use with Looker Studio. You can grant the BigQuery Data Viewer role (roles/bigquery.dataViewer) to give these permissions.

   To grant these roles, run the gcloud projects add-iam-policy-binding command. In the following examples, replace PROJECT_ID with your project ID.

   Example:

   gcloud projects add-iam-policy-binding PROJECT_ID \
--member = "serviceAccount:" \
--role="roles/bigquery.jobUser"

   gcloud projects add-iam-policy-binding PROJECT_ID \

   --member = "serviceAccount:" \
--role="roles/bigquery.dataViewer"

Step 2: Allow the Looker Studio service agent to access your service account

To allow the Looker Studio service agent to access data via the service account, grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the service agent. To do this, run the gcloud iam service-accounts add-iam-policy-binding command. In the following example, replace ORG_ID with your organization's ID.

Example:

gcloud iam service-accounts add-iam-policy-binding \ \ --member="" \ --role="roles/iam.serviceAccountTokenCreator"

Step 3: Grant user roles

Looker Studio users who will create or edit data sources need to be granted a role that includes the iam.serviceAccounts.actAs permission, such as the Service Account User role (roles/iam.serviceAccountUser). You can grant this role on the project or on an individual service account, but we recommend that you grant the role on the service account only. For instructions, see Managing service account impersonation.

If you're not ready to complete this step, you can come back to it later.

Tip: We recommend that you do NOT grant non-service agent users the Service Account Token Creator role — it is not needed for Looker Studio.

Note: Users who will only view Looker Studio reports don't need to have permissions on the service account.

To grant the Service Account User role, run the

command. In the following examples, replace PROJECT_ID with your project ID, and replace "

" with one or more valid email addresses (separate multiple entries with commas).

Example:

gcloud iam service-accounts add-iam-policy-binding \ \
--member="user:" \
--role="roles/iam.serviceAccountUser"

Step 4: Enable the service account to access your BigQuery data

To allow Looker Studio to access your data, grant the BigQuery Data Viewer role to the service account at the table or dataset level.

Provide the Looker Studio service account(s) to your Looker Studio users

Looker Studio users will need to know which service account to use when creating data sources. As there is no way to see the list of available service accounts from within Looker Studio, you should make this information available via your organization's documentation, internal website, or email.

Note: You don't need to manage service account keys manually, nor do users need to download service account keys from Cloud console and upload them to Looker Studio. The limit of 10 service account keys per service account does not apply to Looker Studio.

Edit a data source that uses service account credentials

When someone edits a data source that uses service account credentials, Looker Studio checks to see if they have permission to use the service account. If they don’t, the data source switches to use their credentials instead.

See who is using the service account to access data

You can check the audit logs for service accounts in the Cloud console. You must enable IAM audit logs for Data Access activity if you want to receive audit logs for service accounts.

Errors

This section explains the errors that Looker Studio data source creators and report viewers might see when they try to use a service account. In most cases, these errors have the same root cause: incorrect or incomplete setup of the service account.

Missing service agent role

No access to the data

Missing user role

Service agent not available for the account

Can't use service agent in credentials dialog

Limits

• Service account credentials are currently only available for BigQuery data sources. IAM limits apply to service accounts.
• It might take a few minutes for changes to service account permissions to be reflected in Looker Studio.

Related resources

• Understanding service accounts
• Connect to BigQuery: Support for VPC Service Controls
• Launching Cloud Shell

Was this helpful?

How can we improve it?