How to create a Google Service Account client secrets JSON key

Picture by Artem Beliaikin, Pexels.

5 minutes to read

The Google Cloud Platform offers a variety of ways for users, or applications, to authenticate themselves in order to gain access to data. For Python developers, one of the most practical is to create a Google Service Account and authenticate using a client secrets JSON key file.

Service Accounts are effectively user accounts for server applications. While a user account lets you login to a Google service, such as Google Search Console or Google Analytics, a Google Service Account lets an application login and access the data instead.

Service Account privileges

As with a regular user account, you can grant your Service Account access to specific services or Google APIs, and you can restrict what they can do. For example, you may want to create a Google Service Account with read only access to Google Analytics.

Since Service Accounts can provide access to confidential data stored on Google Cloud, or allow an application to use services for which you could be billed, it’s important to restrict the privileges of the account and take care not to lose the key or deploy it a public GitHub repository.

Understanding client secrets JSON key files

When you create the service account, Google will also create a unique email address for the Service Account user, that you’ll need to add to your chosen service (i.e. Google Analytics or Google Search Console) to provide access.

You can then create a client secrets JSON key file via which your application can authenticate. The key file itself is a small text file based on JavaScript object notation, or JSON, that contains various identifiers used to let your application authenticate and access your data.

Here’s an obfuscated example JSON client secrets key file. This contains the project_id, the private_key_id, and the private_key itself, as well as the client_email that you add to the account. Here’s how to create the client secrets JSON key and a service account so you can use it within your Python applications.

{
  "type": "service_account",
  "project_id": "jupyter",
  "private_key_id": "xxxxxxxxxxxxxxxxx",
  "private_key": "-----BEGIN PRIVATE KEY-----XXXXXX-----END PRIVATE KEY-----\n",
  "client_email": "xxxxx@xxxxxx.iam.gserviceaccount.com",
  "client_id": "xxxxxx",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxxxx@xxxxxx.iam.gserviceaccount.com"
}

In the Google Developers Console

Go to the Google Developers Console
Ensure you are logged in to the correct Google account
Search for the API service you wish to enable, i.e. “Google Search Console API” and click “Enable”
Go to APIs and Services > Credentials and click “+ Create Credentials” and select “Service Account”
Enter a name for the service account, i.e. “Google Search Console API service account”.
Change the email to something you’ll recognise, i.e. “gsc-api-service-account@”.
Click “Create and Continue” and select a role, i.e. Basic > Viewer, then click “Done”.
Copy the email address created, i.e. gsc-api-service-account@xxxxxxxxxxx.iam.gserviceaccount.com
In Credentials > Service Accounts click the email address added
Click “Keys” > “Add key” > “Create new key” > “JSON” > “Create”
Download the key and give it a name to identify what it does, i.e. mysite-client-secrets.json

In Google Search Console

Go to Google Search Console
Ensure you are logged in to the correct Google account
Select the property you want to access
Click the Settings icon in the sidebar
Click Users and Permissions > Add User
Enter the email address for the Service Account user and grant permissions

Can’t add a user to your Google Search Console account?

Adding a user to Google Search Console can be very confusing, as many users are delegated owners rather than verified owners. If you’re a delegated owner, when you follow the steps below you won’t find the “Add user” button.

Instead, you will need to get the verified owner to follow the steps above, or follow one of the steps shown to verify your own account. The easiest way to do this is via your Google Analytics account.

Using your client secrets JSON key file

Once you’ve downloaded your client secrets key file, and have added the service account email as a user to the Google service, all you need to do now is place the key in a specific location on your machine and pass the filepath to your application to authenticate.

In the example below I’m using the seo module from EcommerceTools to run a Google Search Console API query on my GSC data using the client_secrets.json keyfile.

from ecommercetools import seo

key = "client_secrets.json"
site_url = "http://example.com"
start_date = "2020-05-01"
end_date = "2021-06-30"

payload = {
    'startDate': start_date, 
    'endDate': end_date,
    'dimensions': ["page"],  
    'rowLimit': 10000,
    'startRow': 0
}

df = seo.query_google_search_console(key, site_url, payload)
df.sort_values(by='clicks', ascending=False).head()

Matt Clarke, Sunday, September 05, 2021

Matt Clarke Matt is an Ecommerce and Marketing Director who uses data science to help in his work. Matt has a Master's degree in Internet Retailing (plus two other Master's degrees in different fields) and specialises in the technical side of ecommerce and marketing.