The Google Cloud Platform offers a variety of ways for users, or applications, to authenticate themselves in order to gain access to data. For Python developers, one of the most practical is to create a Google Service Account and authenticate using a client secrets JSON key file.
Service Accounts are effectively user accounts for server applications. While a user account lets you login to a Google service, such as Google Search Console or Google Analytics, a Google Service Account lets an application login and access the data instead.
As with a regular user account, you can grant your Service Account access to specific services or Google APIs, and you can restrict what they can do. For example, you may want to create a Google Service Account with read only access to Google Analytics.
Since Service Accounts can provide access to confidential data stored on Google Cloud, or allow an application to use services for which you could be billed, it’s important to restrict the privileges of the account and take care not to lose the key or deploy it a public GitHub repository.
When you create the service account, Google will also create a unique email address for the Service Account user, that you’ll need to add to your chosen service (i.e. Google Analytics or Google Search Console) to provide access.
You can then create a client secrets JSON key file via which your application can authenticate. The key file itself is a small text file based on JavaScript object notation, or JSON, that contains various identifiers used to let your application authenticate and access your data.
Here’s an obfuscated example JSON client secrets key file. This contains the project_id
, the private_key_id
, and the private_key
itself, as well as the client_email
that you add to the account. Here’s how to create the client secrets JSON key and a service account so you can use it within your Python applications.
{
"type": "service_account",
"project_id": "jupyter",
"private_key_id": "xxxxxxxxxxxxxxxxx",
"private_key": "-----BEGIN PRIVATE KEY-----XXXXXX-----END PRIVATE KEY-----\n",
"client_email": "xxxxx@xxxxxx.iam.gserviceaccount.com",
"client_id": "xxxxxx",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxxxx@xxxxxx.iam.gserviceaccount.com"
}
Adding a user to Google Search Console can be very confusing, as many users are delegated owners rather than verified owners. If you’re a delegated owner, when you follow the steps below you won’t find the “Add user” button.
Instead, you will need to get the verified owner to follow the steps above, or follow one of the steps shown to verify your own account. The easiest way to do this is via your Google Analytics account.
Once you’ve downloaded your client secrets key file, and have added the service account email as a user to the Google service, all you need to do now is place the key in a specific location on your machine and pass the filepath to your application to authenticate.
In the example below I’m using the seo
module from EcommerceTools to run a Google Search Console API query on my GSC data using the client_secrets.json
keyfile.
from ecommercetools import seo
key = "client_secrets.json"
site_url = "http://example.com"
start_date = "2020-05-01"
end_date = "2021-06-30"
payload = {
'startDate': start_date,
'endDate': end_date,
'dimensions': ["page"],
'rowLimit': 10000,
'startRow': 0
}
df = seo.query_google_search_console(key, site_url, payload)
df.sort_values(by='clicks', ascending=False).head()
Matt Clarke, Sunday, September 05, 2021