How to Use a Google Service Account Key with FME

Matt Meeboer
Matt Meeboer
  • Updated

Introduction

Several Google transformers in FME support service account keys in addition to OAuth2.0 web services for authentication. Examples include the GoogleBigQueryConnector and writer, the GoogleCloudPubSubConnector, and GoogleCloudStorageConnector.

Service account keys let you authenticate as a service account, instead of a token obtained from user credentials in an OAuth2.0 flow. For security reasons, when possible, use an OAuth2.0 web service. Please consult Google’s best practices for managing service account keys.

Please be aware that a service account key file is for a single Google Cloud Project. If using a Service account key to authenticate a connection in FME, you won’t be able to choose the project at the transformer level in FME. The project is part of the service account key file outside of FME.

This article describes how to use a Google service account key in FME using Microsoft Windows as an example.

 

Requirements

  • Permission to create environment variables on the machine where FME is installed.
  • A Google Cloud service account in the Google Cloud project you will be accessing in FME. The Account must be granted the necessary role for the actions you need to complete in FME. See Google’s documentation on roles
  • A .json Google Cloud service account key file for the service account listed above. See Google’s documentation to create a key file.

 

Step-by-Step Instructions

1. Create an Environment Variable

On the Windows machine where FME Form is installed, go to Control Panel > System > Advanced System Settings to display the System Properties. On the Advanced tab, click Environment Variables.

 

Under System variables, click New and add the following environment variable:

  • Variable name: GOOGLE_APPLICATION_CREDENTIALS (see Google’s documentation for more information)
  • Variable value: the path to your service account key .json file

Click OK

 

Confirm that the new environment variable has been created and click OK to close Environment Variables.

 

Repeat this step on every machine with FME Form installed that needs to authenticate with the service account key file.

 

2. Test the Service Account Key in FME Form

Open FME Form, or close and reopen if it is already open, and create a new test workspace. Add a Google transformer that supports the service account key file. If the transformer does not have a credential source parameter, it does not currently support service account keys and you will need to authenticate with an OAuth2.0 web connection. In the transformer’s parameters, choose Service Account Key File as the Credential Source. 

For example, below is a GoogleBigQueryConnector using a service account key file.

 

Run the test workspace. FME Form will use the service account key file to authenticate and the workspace should complete successfully. 

 

3. Configure FME Flow (Optional)

If you wish to publish and run the workspace on FME Flow, a GOOGLE_APPLICATION_CREDENTIALS environment variable will need to be created on the FME Flow engine host.

Log on to the FME Flow engine host server, choose a location for the service account key file, and create the environment variable as shown in Step 1. 

 

Troubleshooting

“Failed to authenticate: 'Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application.’”

Confirm that the machine where you are trying to run the workflow has the GOOGLE_APPLICATION_CREDENTIALS environment variable created as per step 1.

Close and reopen FME Form after adding the environment variable.

 

“Failed to authenticate: 'invalid_grant: Invalid JWT Signature.”

The service account key file was found, but couldn’t be used to authenticate. Check:

  • Is the service account key file for a different Google Cloud project than the one you are trying to access in FME?
  • Does the service account key still exist on the Service Account in Google Cloud?
  • Did the service account key expire in Google Cloud?
  • Was the service account key file modified? Try creating a new service account key and generating a new file.

 

Additional Resources

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.