You can use service accounts in your Community Connectors for centralized
management of resource access. A common use case would be to delegate access to
data that users would not able to access using their own credentials.
You can implement your own access control layer in your connector.
You can delegate access to data or resources that the user's credentials
does not have access to.
Implementation steps
Create a service account for the platform from which you are fetching data.
Provide the necessary permissions to the service account so it can access
required resources.
Store the service account's credentials in your connector's script
properties.
During connector execution, use the stored credentials to fetch required
data.
Optional: Implement access control logic to filter the data.
Example: Accessing BigQuery with Looker Studio Advanced Services and a service account
You are building a solution where your users will build dashboards from a
BigQuery table. If your users use Looker Studio's BigQuery connector, they will
need read access to the BigQuery table. They will also require a billing account
for Google Cloud Platform (GCP). The following steps illustrate how to use a
service account to consolidate billing and delegate access to the BigQuery data.
For your getData function, authenticate the service account and generate
an access token. Set the OAuth2 scope to
https://www.googleapis.com/auth/bigquery.readonly.
Return access token with other configuration items in getData response.
The following is a complete example of the connector code:
main.js
varcc=DataStudioApp.createCommunityConnector();varscriptProperties=PropertiesService.getScriptProperties();functionisAdminUser(){returntrue;}functiongetAuthType(){varAuthTypes=cc.AuthType;returncc.newAuthTypeResponse().setAuthType(AuthTypes.NONE).build();}functiongetConfig(request){varconfig=cc.getConfig();config.newInfo().setId('generalInfo').setText('Thisisanexampleconnectortoshowcaserowlevelsecurity.');returnconfig.build();}functiongetFields(){varfields=cc.getFields();vartypes=cc.FieldType;varaggregations=cc.AggregationType;fields.newDimension().setId('region').setName('Region').setType(types.TEXT);fields.newMetric().setId('sales').setName('Sales').setType(types.NUMBER).setAggregation(aggregations.SUM);fields.newDimension().setId('date').setName('Date').setType(types.YEAR_MONTH_DAY);returnfields;}functiongetSchema(request){return{schema:getFields().build()};}varSERVICE_ACCOUNT_CREDS='SERVICE_ACCOUNT_CREDS';varSERVICE_ACCOUNT_KEY='private_key';varSERVICE_ACCOUNT_EMAIL='client_email';varBILLING_PROJECT_ID='project_id';/** * Copy the entire credentials JSON file from creating a service account in GCP. */functiongetServiceAccountCreds(){returnJSON.parse(scriptProperties.getProperty(SERVICE_ACCOUNT_CREDS));}functiongetOauthService(){varserviceAccountCreds=getServiceAccountCreds();varserviceAccountKey=serviceAccountCreds[SERVICE_ACCOUNT_KEY];varserviceAccountEmail=serviceAccountCreds[SERVICE_ACCOUNT_EMAIL];returnOAuth2.createService('RowLevelSecurity').setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth').setTokenUrl('https://accounts.google.com/o/oauth2/token').setPrivateKey(serviceAccountKey).setIssuer(serviceAccountEmail).setPropertyStore(scriptProperties).setCache(CacheService.getScriptCache()).setScope(['https://www.googleapis.com/auth/bigquery.readonly']);}varBASE_SQL='SELECTd.region,d.sales,d.date ' +'FROM`datastudio-solutions.row_level_security.data`d ' +'INNERJOIN`datastudio-solutions.row_level_security.access`a ' +'ONd.region=a.region ' +'wherea.email=@email';functiongetData(request){varaccessToken=getOauthService().getAccessToken();varserviceAccountCreds=getServiceAccountCreds();varbillingProjectId=serviceAccountCreds[BILLING_PROJECT_ID];varemail=Session.getEffectiveUser().getEmail();varbqTypes=DataStudioApp.createCommunityConnector().BigQueryParameterType;returncc.newBigQueryConfig().setAccessToken(accessToken).setBillingProjectId(billingProjectId).setUseStandardSql(true).setQuery(BASE_SQL).addQueryParameter('email',bqTypes.STRING,email).build();}