Connecting using a Google Service Account

What is a service account?

You need a service account in order to access Google APIs. A service account is an account that belongs to an application, such as Etlworks Integrator, instead of to an individual end user. The application calls Google APIs on behalf of the service account, so users aren't directly involved. This scenario is sometimes called "two-legged OAuth," or "2LO." (The related term "three-legged OAuth" refers to scenarios in which the application calls Google APIs on behalf of end users, and in which user consent is sometimes required.)

Important: a service account is not the same as an account used to log into Google services from a web browser.

Read more about Google Service accounts.

Important: Integrator already has a service account which can be used to access Google APIs. This account is linked to the email address etl-framework@api-project-201080624425.iam.gserviceaccount.com. You can create you own account (see step-by-step instructions below) if you prefer to use your own, instead of the default.

What is a service account email?

Each service account has a unique email address automatically assigned by Google when the account is created.

Loosely, you can call the service account email a user name, and the service account a password.

Why is the "service account email" populated and the "service account" empty when I create a new connection to the Google API ?

Eltworks Integrator already includes a service account, linked to the email etl-framework@api-project-201080624425.iam.gserviceaccount.com. The actual service account field is empty because information about the account, such a private key, etc. is stored in secure storage, so it is not available to the end user.

Important: when the service account field is empty, Etlworks Integrator will always use the default service account, linked to the email etl-framework@api-project-201080624425.iam.gserviceaccount.com, regardless of what you entered in the service account email field.

Default service account

By default, Etlworks Integrator has a built-in service account, which belongs to Etlworks. This account is linked to the email address etl-framework@api-project-201080624425.iam.gserviceaccount.com. It is recommended that you use this account whenever possible.

Creating a new service account

If necessary, you can create a new service account. For example, you might not want to use the default account for security reasons.

Step 1. You must have an active Google account.

Step 2. Using this account, open the setup tool.

Step 3. Click Create a project and select API Project.

Step 4. Click Go to credentials.

Step 5. Select the following parameters:

Service account credentials

Step 6. Click What credentials do I need

Step 7. Enter Service account name and click Continue.

Step 8. The account will be created, and a JSON file with account details will be downloaded to your local hard drive. Important: please keep it in a safe place as it will be needed later.

The downloaded JSON will look similar to the code below:

{
  "type": "service_account",
  "project_id": "id",
  "private_key_id": "key_id",
  "private_key": "-----BEGIN PRIVATE KEY-----\key\n-----END PRIVATE KEY-----\n",
  "client_email": "service account email",
  "client_id": "client id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/etl-framework%40service-account@email"
}

The important part is the service account email.