Google Account Authentication Methods

You can use two types of Google accounts in Hevo to connect to services hosted on the Google Cloud Platform (GCP) such as BigQuery or those available in the Google Suite such as Google Sheets and Google Drive:

  • User Account, or the OAuth method. A user account is associated with an individual user.

  • Google Service Account. A service account uses a Key to authenticate the connection, making it user-independent, thereby providing you better access control over the data. It is associated with the team rather than the individual.

For GCP-hosted Sources, you must provide the following roles to both user and service accounts for accessing the Google Cloud Storage resources for it:

  • The Storage Admin role, for accessing the GCS resources for the required project of the GCP-hosted service.
  • The appropriate role for connecting to the GCP-hosted service. For example, to connect to BigQuery APIs for loading data to the BigQuery Destination, you need the BigQuery Admin role.

    Refer to the sections below for steps to assign these roles.

For G-Suite Sources:

  • In case of service accounts, you must enable the respective APIs for the Source to be able to access the resource and read the data.

  • In case of user accounts (OAuth), the authorization or consent is given implicitly when the user signs into the account.

Prerequisites


Using User Accounts

User accounts are individual Google accounts that you can configure for each team member to connect to the GCP-hosted services such as Google BigQuery and G-Suite applications such as Google Sheets.

Creating a User Account

Perform the following steps to create a Google user account:

  1. Log in to your Google Cloud Platform with an Owner Role.

    Click here and check the role against your name. If you are not an Owner, contact your account Owner to perform the following steps.

  2. In the left navigation pane, click IAM & Admin.

  3. Click IAM.

    Select IAM

  4. Select the Name of the project you want to grant roles to.

    Select the project

  5. Click + ADD in the IAM & Admin page.

    Edit permissions

  6. Add the following details of the new user:

    • Member: The Email ID of the user.

    • Name: The full name of the user

    • Role: Select the required role for the user.

    </div>

Assigning Roles to a User Account

As a user on GCP with an Owner role, you can assign roles to user accounts for connecting to and accessing data for respective GCP-hosted services. Roles are assigned on specific projects where the data is stored or written.

Perform the following steps to assign the required roles to the Google user account:

  1. In the IAM & Admin, IAM page:

  2. Click the PERMISSIONS tab.

  3. Click the Edit icon for the user to whom the roles are to be assigned.

    Edit permissions

  4. In the Select a role drop-down, select Cloud Storage in the left pane and then select the Storage Admin role. This role is required for accessing the GCS resources for the project.

    Storage Admin permission

  5. Click SAVE and then, + ADD ANOTHER ROLE.

  6. In the Select a role drop-down, select the role applicable for the GCS resource. For example, for connecting to BigQuery APIs, select BigQuery in the left pane and then select BigQueryAdmin.

    Assign BigQuery Admin role

  7. Click SAVE.

Using Google Service Accounts

As a user with Owner role, you can create service accounts for your team members to access the GCP-hosted services such as Google BigQuery and Google Suite applications such as Google Sheets. Once you have done this, you must download the Key file in JSON format, which is used to authenticate you on the Source.

Creating a Google Service Account

If you have already created a service account for your team, skip to section Assigning Roles to the Service Account below to assign the required roles to it. Else, perform the following steps to create a Google service account:

  1. Log in to your Google Cloud Platform with an Owner Role.

    Click here and check your Role against your name. If you are not an Owner, contact your Owner to perform the following steps.

  2. In the left navigation menu, click IAM & Admin.

  3. Under IAM & Admin, click Service Accounts.

    Click Service Accounts

  4. Select the project in the drop-down at the top of the page.

  5. Click + CREATE SERVICE ACCOUNT.

  6. In the Service account details page, enter a Service account name and description and click CREATE.
    The Service account ID is automatically created based on the service account name.

    Service account properties

Assigning Roles to a Google Service Account

For GCP-hosted services, you must assign the appropriate roles to the service account to enable access to the service and its resources on GCP.

Perform the following steps to assign roles to a service account:

  • For an existing service account:
    1. In your GCP console, under IAM & Admin, click IAM.

    2. In the PERMISSIONS tab, check the Role column to see the assigned roles.

      View assigned roles

    3. If the required roles are not assigned, click the Edit icon for the service account.

    4. In the Edit permissions dialog that opens up, click + ADD ANOTHER ROLE to add a new row.

      Edit account permissions

    5. Select the required role from the Role drop down.

    6. Click SAVE.

  • For a newly created account:
    1. After you have created the service account, continue to the Grant this service account access to project section.

      Grant access to project

    2. Select the role for the related GCP-hosted service. For example, to connect to BigQuery, select BigQuery Admin in the Role drop-down.

    3. Click + ADD ANOTHER ROLE to add a row.

    4. Select Storage Admin in the Role drop-down. This role is required for accessing the GCS resources for the project.

    5. Click CONTINUE.

    6. Click DONE.

Enabling API Access for a Google Service Account

For Google Suite applications, you must enable the respective API to enable the service account to read your data.

To do this:

  1. Access your Google Cloud Platform console.

  2. In the left navigation pane, click APIs & Services and then, Library.

    API Library

  3. In the Library page, search for the API using the search box and click on it.

    Search Sheets API

  4. Click ENABLE to enable the API.

    Enable API

Downloading the Key File

Service account credentials are usually stored as a Key file in JSON format. You need the key file to connect to the BigQuery Destination in Hevo.

To download the file:

  1. Log in to the Google Cloud Platform as an Owner.

  2. Navigate to the IAM, Service Accounts page.

  3. Click on the newly created service account

  4. Navigate to the KEYS tab.

  5. Click ADD KEY and then, Create new key.

  6. Select the Key type as JSON and click CREATE. This downloads the key file.

    Note: Hevo supports only JSON format for the key file.

    JSON Key file

You can use this key file to set up the Google BigQuery Destination in Hevo.


Revision History

Refer to the following table for the list of key updates made to the page:

Date Release Description of Change
05-May-2021 1.62 Included user and service account setup information for G-Suite applications
20-Apr-2021 1.61 New document.
Last updated on 05 May 2021