Google Analytics Data API v1 (opens in a new tab) authentication is based on OAuth 2.0 authorization (opens in a new tab).
Two methods are supported: OAuth 2.0 and Application Default Credentials.
OAuth 2.0
The following options are available when using OAuth:
-
Using an existing access token
This token should be authorized for
https://www.googleapis.com/auth/analytics.readonlyscope (e.g. by using OAuth 2.0 Playground (opens in a new tab)). -
Using OAuth client ID & client secret
You can get your own OAuth credentials using this guide (opens in a new tab).
Application Default Credentials
See the official Application Default Credentials guide (opens in a new tab).
Note: You will still need to authorize these credentials for https://www.googleapis.com/auth/analytics.readonly scope.
Available options are all the same options described here (opens in a new tab) in detail.
Local Environment
See this guide (opens in a new tab) for local environment to get you started.
The final step is to run:
gcloud auth application-default login \
--scopes=https://www.googleapis.com/auth/analytics.readonly \
--client-id-file=[PATH/TO/credentials.json]Google Cloud cloud-based development environment
When you run on Cloud Shell or Cloud Code credentials are already available.
Google Cloud containerized environment
When running on GKE use workload identity (opens in a new tab).
Google Cloud services that support attaching a service account
Services such as Compute Engine, App Engine and functions supporting attaching a user-managed service account which will CloudQuery will be able to utilize. You can find out more here (opens in a new tab).
On-premises or another cloud provider
The suggested way is to use Workload identity federation (opens in a new tab).
If not available, you can use service account keys and export the location of the key via GOOGLE_APPLICATION_CREDENTIALS.
This is not recommended as long-lived keys present a security risk.
