What is Google's Service Account (GSA) Key?
Please refer to this document for the explanation on GSA.
Request for Google's Service Account to be used for the Looker Studio's Dashboard
The illustration below reflects on how Looker Studio connects to GCP Bigquery with the GSAs, without having to manually generates the service account key.
Before you change the BigQuery connection on the Looker Studio Dashboard, you will need to have a GSA created with the correct permission granted to access the data for the dashboard.
- Submit a request for the creation of GSA (without key) on the required GCP Project that has the data with the following:
- Naming convention: sa-looker-<dashboard's name>
- In order for Looker Studio to manage the GSA key, permission to be granted on this service account (permission must be granted on service account level):
- Allow this GSA service-org-346661825861@gcp-sa-datastudio.iam.gserviceaccount.com (Looker Studio's GSA on the organization level) with following permission:
- Service Account User
- Service Account Token Creator
- Allow this GSA service-org-346661825861@gcp-sa-datastudio.iam.gserviceaccount.com (Looker Studio's GSA on the organization level) with following permission:
- Description of the GSA
"<url of the Looker Studio's dashboard>" - On the resources, grant the following permission (recommended to grant only at the dataset's level):
- BigQuery Data Viewer
- BigQuery Job User (Must be granted on Project IAM level)
- BigQuery Read Session User (Must be granted on Project IAM level)
- For the person who will be making the changes, that person will need to have the following permission to the sa-looker-<dashboard's name> GSA.
- Service Account User (permission must be granted on service account level)
- Once the GSA is created, you will need the email of the GSA the connection in the next step.
Looker Studio's BigQuery connection can only work with GCP and Looker Studio within the same organization. The connection changes can only be made by that person granted with the "Service Account User" to that specific sa-looker GSA. |
Changing existing BigQuery connection on Looker Studio
Looker Studio Users are advised to use Google Cloud Project Service account to bind with the Looker Studio Project as illustrated below:
# | Description | Remarks |
|---|---|---|
| 1 | Edit the existing Data binding account. Go to Looker Studio → Data → Click Edit (as illustrated in the print screen on the right) |
|
| Click on the "Data credentials" |
| |
Choose the "Service Account Credentials" and fill in with the target service account. (Click Update button to update the config) |
|
Why I cannot see the "Service Account Credentials" when trying to create a new connection?
If you are not able to see the "Service Account Credentials", follow the following steps:
- Add a Bigquery connection with your own account.
- After added the connection, change the data connection as per the section on "Changing existing BigQuery connection on Looker Studio".
The "Service Account Credentials" will be shown.
How often do I need to rotate my service account key?
The GSA used for Looker Studio will not require to create a user-managed service account key.
Therefore, you do not need to rotate the GSA key.