Skip to content

Google third-party OAuth using Service Accounts🔗

Note

Overview🔗

Users can perform ETL/ELT on their data from numerous Google services:

Google allows OAuth flows using user credentials as well as service accounts.

This page explores using a service account for OAuth instead of a user account to pull data from Google Analytics using the Google Analytics Query component.

The section titled Google Configuration describes steps taken on the Google Cloud Platform (GCP) to create the service account and gather required information.

The section titled Matillion ETL Configuration then focuses on using the information gathered to configure an example Google Analytics Query component to use the service account created in Google Configuration.

Google configuration🔗

Enable the Google Analytics API🔗

To enable the Google Analytics API in your Google Cloud project, follow the instructions in the Google Enabling an API in your Google Cloud project documentation.

If you see an option to Disable API, ignore it. This means you have already enabled this API.

Create a service account🔗

  1. Follow the instructions in the Google Create service accounts documentation.
  2. Note the email address for your new service account. This will be in the format <SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com.
  3. Download the .JSON file for this service account.
  4. Ensure the service account has access to relevant services and roles. For example, to give the service account access to Google Analytics, log in to Google Analytics and add the service account email address to the allowed users.

Create an OAuth app🔗

To create an OAuth app, follow the instructions in the Google OAuth client ID credentials documentation.

Once created, copy your app's Client ID and Client Secret credentials and paste these somewhere to use later.

Matillion ETL configuration🔗

  1. Copy the .JSON file for your created service account to the Matillion ETL server. For example, to the /etc/tomcat/ folder or any other folder on the Matillion ETL server that the Tomcat user has access to. Ensure the Tomcat user has Read access to this file.
  2. Create a new Google OAuth entry in Matillion ETL.
    1. Click Project → Manage OAuth.
    2. Click + to add a new OAuth entry.
    3. Select Google from the drop-down of services.
    4. Click OK. The OAuth entry's status will read "Not configured".
    5. Click OK.
    6. Click Project → Manage OAuth.
  3. Add a new Google Analytics Query component to the job canvas.

  4. In the Connection Options parameter, set the following connection options:

    • InitiateOAuth: Set this to GETANDREFRESH.
    • OAuthClientId: The Client ID in your app settings.
    • OAuthClientSecret: The Client Secret in your app settings.
    • OAuthJWTIssuer: Email address of your service account.
    • OAuthJWTCertType: Set this to GOOGLEJSON.
    • OAuthJWTCert: The path to the .JSON file on the Matillion ETL server.
    • OAuthJWTCertPassword: Enter notasecret.
    • OAuthJWTCertSubject: Set this to * to pick the first certificate in the certificate store.
    • Profile: The Google Analytics profile or view you want to connect to. This value can be retrieved from the Profiles table. If this is not specified, the first profile returned will be used.

    Note

    • The Profile connection option is specific to Google Analytics. If you're using a different service account, Profile isn't required.
    • If you're using a .p12 file instead of a JSON file, see below to configure the following attributes:
      • OAuthJWTCertType: Set this to PFXFILE.
      • OAuthJWTCert: The path to the .p12 file on the Matillion ETL server.
      • OAuthJWTCertPassword: The password of the .p12 file.

  5. Configure the remaining parameters of the Google Analytics Query component and then run the job. Matillion ETL will use the connection options to authenticate using the service account instead of the user-based OAuth entry.

© Copyright 2026 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement