Set up a Google Cloud service account for Data Studio

Create and configure a service account to access data on behalf of Data Studio.
Note: 
  • This article is intended for service account administrators. To learn how to use an existing service account in your data source, see Data credentials.
  • Service account credentials are currently available only for BigQuery data sources.

Instead of delegating access using owner's credentials, or requiring individual report viewers to have access to the data using viewer's credentials, Data Studio can use a service account to access data. A service account is a special type of Google account that is intended to represent a non-human user that can authenticate and be authorized to access data in Google APIs and products.

To use a service account with Data Studio, you add your organization's Data Studio service agent as a user (principal) on the account. This gives you control over which service accounts can be used with Data Studio, while ensuring that the users in your organization can easily access the data they need.

Using a service account instead of an individual user's credentials provides these benefits:

  • Data sources using service account credentials won't break if the creator leaves your company.
  • Service account credentials support access to data located behind VPC Service Controls perimeters that use device policies.
  • Automated features like scheduled email and scheduled data extracts work with data sources that are behind a VPC Service Controls perimeter.

Learn more about service accounts.

We recommend that you create new service accounts that are solely for use with Data Studio. For example, you can create separate service accounts dedicated for marketing, sales, and engineering teams to use with Data Studio.
In this article:

Before you begin

  • To set up a service account, you need to have Service Account Admin (roles/iam.serviceAccountAdmin) or Create Service Accounts (roles/iam.serviceAccountCreator) role on your Google Cloud project. Learn more about service account roles.
  • To get the Data Studio service agent, you must be a Workspace or Cloud Identity user.

Setup instructions

You only need to perform the instructions in this article once unless you want to create different service accounts for different teams or groups of users. To create multiple accounts, repeat these instructions for each additional account.

Get the Data Studio service agent

To allow the service account to access your data, you'll need to provide the Data Studio service agent for your organization. You can get the service agent from a help page in Data Studio:

  1. Navigate to the Data Studio service agent help page.
  2. Copy the service agent email address shown on that page.

Example of the Data Studio Service Agent help page, showing the Organization and the Service Agent. A help icon displays more explanation. The "service account" hyperlink takes you to the Cloud Console configuration page. The "click here for instructions" page takes you to the Help Center.

Create a service account for Data Studio

Instructions on creating a service account can be found in the Google Cloud IAM documentation. You can use either the Cloud console or the Cloud Shell command line to create the service account.

Use Cloud console

Step 1: Create a new service account

  1. From the Cloud console, go to the Create service account page.

    Go to Create service account

  2. Select a project.
  3. Enter a service account name to display in the Cloud console.

    The Cloud console generates a service account ID based on this name. Edit the ID now if necessary. You can't change the ID later.

  4. Optional: Enter a description for the service account.
  5. Click CREATE AND CONTINUE.
    Example of the Google Cloud Platform interface, showing "Create a service account" step 1: Service account details. The service account name field contains "Data Studio service account." The Service account ID contains "data-studio-service-accoun-309." The Service account description field contains "A service account for Data Studio users." The CREATE AND CONTINUE button is highlighted.

  6. In step 2, Grant this service account access to project, grant the BigQuery Job User IAM role to the service account.
    Granting a service account access to a project. In this example, the user has typed "BigQuery Job" in the filter box and selected the BigQuery Job User role.
  7. Click Continue.
  8. In the Service account users role field, add the users who can use this service account to provide credentials for their data sources. If you're not ready to add users now, you can do so later by following the directions in Step 3: Grant user roles below.
  9. Click DONE to save the service account and return to the service accounts list page for your project.

Step 2: Allow the Data Studio service agent to access your service account

  1. Return to the Cloud console service accounts list.
  2. Select the Data Studio service account that you just created by clicking it in the list.
  3. At the top, click PERMISSIONS.
  4. Click Share iconGRANT ACCESS.
  5. On the right, in Add principals to <project>, paste the Data Studio service agent email (which you copied in step 1 above) into the New principals box.
  6. Select a role that gives the service agent the iam.serviceAccount.getAccessToken permission. For example, you can use the Service Account Token Creator role, but you can also use any custom role that grants this permission.
  7. Click SAVE.
Tip: Your service agent's address uses the format service-account@<project_id>.iam.gserviceaccount.com. If you know your project ID, you can construct the address manually.

Example of adding the Data Studio service agent as a principal on the service account. The Data Studio service agent is added as a new principal. The Service Account Token Creator role is granted.

Step 3: Grant user roles

Note: This step is optional if you already added Data Studio users while creating the service account, as described in step 1 above.

Data Studio users who will create or edit data sources need to be granted a role that includes the iam.serviceAccounts.actAs permission, such as the Service Account User role (roles/iam.serviceAccountUser). You can grant this role on the project or on an individual service account, but we recommend that you grant the role on the service account only. For instructions, see Managing service account impersonation.

Tip: If you're not ready to complete this step, you can come back to it later.
Tip: We recommend that you do NOT grant non-service agent users the Service Account Token Creator role — it is not needed for Data Studio.
Note: Users who will only view Data Studio reports don't need to have permissions on the service account.
  1. Navigate to the Cloud console service accounts list.
  2. Select your Data Studio service account by clicking it in the list.
  3. At the top of the page, click PERMISSIONS.
  4. Click Share iconGRANT ACCESS.
  5. On the right, in Add principals and roles for <service account>, enter the email addresses of your users in the New principals box.
  6. Select the Service Account User role.
  7. Click SAVE.

Example of adding a user as a principal on the service account, granting the Service Account User role.

Step 4: Enable the service account to access your BigQuery data

To allow Data Studio to access your data, grant the BigQuery Data Viewer role to the service account at the table or dataset level.

Note: We don't recommend granting service account access at the project level.

To grant access to a table:

  1. Navigate to the Cloud console service accounts list.
  2. Copy the Data Studio service account email address.
  3. Navigate to BigQuery and open a project.
  4. Expand a dataset by clicking .
  5. Select a table.
  6. In the toolbar, click Share iconSHARE.
  7. In the panel that opens on the right, click Share iconADD PRINCIPAL.
  8. In the New principals box, paste the Data Studio service account email address.
  9. Select the BigQuery Data Viewer role.
  10. Click SAVE.

To grant access to a dataset:

  1. Navigate to the Cloud console service accounts list.
  2. Copy your Data Studio service account email address.
  3. Navigate to BigQuery, open a project, then locate the dataset.
  4. To the right of the dataset name, click View actions "More options" icon.
  5. Click Open.
  6. In the toolbar, click Share iconSHARING > Permissions.
  7. In the panel that opens on the right, click Share iconADD PRINCIPAL.
  8. In the New principals box, paste the Data Studio service account email address.
  9. Select the BigQuery Data Viewer role.
  10. Click SAVE.
Use Cloud Shell

Step 1: Create a new service account

Follow the general steps listed under gcloud in Creating and managing service accounts.

  1. Open the Cloud Shell.
  2. Select a project if necessary.
  3. To create the service account, run the gcloud iam service-accounts create command. You can use whatever account name, description, and display-name you choose.


    Example:

    gcloud iam service-accounts create datastudio_service_account \
    --description="Use for Data Studio access to BigQuery" \
    --display-name="DS_BQ"
  1. To access BigQuery data on the GCP project you want to use with Data Studio, give the service account the bigquery.jobs.create permission. You can grant the BigQuery Job User IAM role to give this permission.

    In addition, give the service account bigquery.tables.getData and bigquery.tables.get permissions on the project or data set you want to use with Data Studio. You can grant the BigQuery Data Viewer role (roles/bigquery.dataViewer) to give these permissions.

    To grant these roles, run the gcloud projects add-iam-policy-binding command. In the following examples, replace PROJECT_ID with your project ID.

    Example:
    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member = "serviceAccount:datastudio_sa@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/bigquery.jobUser"
     
    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member = "serviceAccount:datastudio_sa@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/bigquery.dataViewer"

Step 2: Allow the Data Studio service agent to access your service account

To allow the Data Studio service agent to access data via the service account, grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the service agent. To do this, run the gcloud iam service-accounts add-iam-policy-binding command. In the following example, replace ORG_ID with your organization's ID.

Example:

gcloud iam service-accounts add-iam-policy-binding \ datastudio_service_account@PROJECT_ID.iam.gserviceaccount.com \ --member="service-ORG_ID@gcp-sa-datastudio.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountTokenCreator"

Step 3: Grant user roles

Data Studio users who will create or edit data sources need to be granted a role that includes the iam.serviceAccounts.actAs permission, such as the Service Account User role (roles/iam.serviceAccountUser). You can grant this role on the project or on an individual service account, but we recommend that you grant the role on the service account only. For instructions, see Managing service account impersonation.

If you're not ready to complete this step, you can come back to it later.
Tip: We recommend that you do NOT grant non-service agent users the Service Account Token Creator role — it is not needed for Data Studio.
Note: Users who will only view Data Studio reports don't need to have permissions on the service account.

To grant the Service Account User role, run the gcloud projects add-iam-policy-binding command. In the following examples, replace PROJECT_ID with your project ID, and replace "user@example.com" with one or more valid email addresses (separate multiple entries with commas).

Example:

gcloud iam service-accounts add-iam-policy-binding \ datastudio_service_account@PROJECT_ID.iam.gserviceaccount.com \
--member="user:user@example.com" \
--role="roles/iam.serviceAccountUser"

Step 4: Enable the service account to access your BigQuery data

To allow Data Studio to access your data, grant the BigQuery Data Viewer role to the service account at the table or dataset level.

It's easiest to do this using the Cloud console instructions, Step 4 above. To grant access to data using the bq command line tool, see Controlling access to datasets.

Provide the Data Studio service account(s) to your Data Studio users

Data Studio users will need to know which service account to use when creating data sources. As there is no way to see the list of available service accounts from within Data Studio, you should make this information available via your organization's documentation, internal website, or email.

Note: You don't need to manage service account keys manually, nor do users need to download service account keys from Cloud console and upload them to Data Studio. The limit of 10 service account keys per service account does not apply to Data Studio.

 

Edit a data source that uses service account credentials

When someone edits a data source that uses service account credentials, Data Studio checks to see if they have permission to use the service account. If they don’t, the data source switches to use their credentials instead.

See who is using the service account to access data

You can check the audit logs for service accounts in the Cloud console. You must enable IAM audit logs for Data Access activity if you want to receive audit logs for service accounts.

Errors

This section explains the errors that Data Studio data source creators and report viewers might see when they try to use a service account. In most cases, these errors have the same root cause: incorrect or incomplete setup of the service account.

Missing service agent role

Messages

  • Data Studio’s service agent is missing iam.serviceAccount.getAccessToken permission for this service.
  • The service agent used by this data source’s service account is missing the "Service Account Token Creator" role.

Cause

The service agent hasn't been granted the Service Account Token Creator role (or another role that includes the iam.serviceAccount.getAccessToken permission).

Solution

Grant the Service Account Token Creator role to the service account.

No access to the data

Message

This service account can't access the underlying data set.

Cause

The service account hasn't been granted access to the project's data.

Solution

At a minimum, grant the BigQuery Data Viewer role to your service account on the underlying table, dataset, or project.

Missing user role

Message

You don’t have permission to use this service account.

Cause

The user hasn't been added as a principal to the service account with the Service Account User role.

Solution

Grant the Service Account User role to the user on the service account.

Service agent not available for the account

Messages

  • Service agents cannot be generated for this account - try again with a Google Workspace or Cloud Identity managed account.
  • Service agent credentials are only available for Google Workspace or Cloud Identity managed organizations. Please use a different account to use this feature.

Cause

The user is trying to access data controlled by a service account from a standard (consumer user) Google account.

Solution

Use a Google Workspace or Cloud Identity account to access the data.

Can't use service agent in credentials dialog

Message

Data Studio service agents can't be used to directly connect to data. Use a service account instead.

Solution

Service agents and service accounts are different. Enter a service account in the credentials dialog. You can find the list of available service accounts using the Cloud console:

Use Cloud console

  1. Navigate to the Google Cloud Platform > IAM & Admin > Service accounts page.
  2. Select a project if necessary.
  3. In the Service accounts for project page, locate the service account that Data Studio will use to access your BigQuery data..
  4. Copy the email address for that account.

Use Cloud shell

  1. Open the Cloud shell.
  2. Select a project if necessary.
  3. To list the service accounts to which you have access, run the gcloud iam service-accounts list command.

Example:

gcloud iam service-accounts list

Limits

  • Service account credentials are currently only available for BigQuery data sources. IAM limits apply to service accounts.
  • It might take a few minutes for changes to service account permissions to be reflected in Data Studio.

Related resources

Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
102097
false
false