Instructions for Setting Up Google Cloud API Connections
Prerequisites and Permissions
1. The user must have a Google Account and the account must be associated with an Organization in the Google Cloud Console.
2. To create a project, the user’s Google Account must have the resourcemanager.projects.create permission. This permission is included in the Project Creator roles/resourcemanager.projectCreator role, which is granted by default to the entire domain of a new organization and to free trial users.
3. To grant Project Creator role to a member of an Organization, a user must have the Billing Account Creator IAM role. Users with the Project Creator role are able to create and manage Project resources. To add Project Creators, follow the steps bellow:
3.1 Go to https://console.cloud.google.com/ and login with an account that has a Billing Account Creator IAM role.
3.2 From the left side panel open the menu and go to IAM & Admin -> Manage Resources.
3.3 On the Organization drop-down list, select the checkbox on the left for the Organization resource. If you do not have a Folder resource, the Organization resource will not be visible.
3.4 On the right side Info Panel, under Permissions, enter the email address of the principal you want to add.
3.5 In the Select a role drop-down, select Resource Manager > Project Creator.
3.6 Click Add. A dialog will appear to confirm the addition or update of the principal's new role.
Create a Google Cloud Project
4. Go to https://console.cloud.google.com/, and login with your account.
4.1 Create a new project. You may have to wait a few seconds until the project is created.
4.2 Make sure you have selected the correct project in the global navigation.
Enable the GTM and Google Analytics APIs for your Project
5. From the left side panel open the menu and go to APIs & Services -> Library
5.1 In the search field type in “tag manager”, select the result “Tag Manager API”, and enable it.
5.2 Return to the search field and type “analytics admin”, select the result “Google Analytics Admin API”, and enable it.
Create a Service Account
6. You will have to create a service account that will leverage your API connection. There are two ways to create a service account, described below - starting with step 6.1. or 6.2.
6.1 When redirected to the API Dashboard, select the Create Credentials button in the upper right hand corner. In the next dropdown, click Service Account:
6.1.1 Fill in the Service account name, preferably recognizable as a service account used by Apollo. Service account ID is automatically generated based on the Service account name, and it is used in the service account’s email address. It could be entered manually, but must be unique. Service account description is optional, and could be filled in with information about the purpose of the service account. After inputting all the required information click Create and continue:
6.1.2 Choose the role of Editor or Owner and click Continue:
6.1.3 The last step is optional and can be skipped, either way click Done:
6.2 From the left-side panel go to IAM & Admin -> Service Accounts:
6.2.1 Select Create service account and follow the steps from 6.1.1. To 6.1.4.
Generate a Private Key for Your Service Account
7. Go to the service accounts list from the left-side panel -> IAM & Admin -> Service Accounts.
7.1 For your convenience, copy the service account email, because you will need it later.
7.2 At the appropriate service account row, in the column “Actions”, click the three-dotted menu button, and select Manage keys.
7.3 Click Add Key and select Create new key:
7.4 In the dialog window that will pop out select JSON and click Create:
After that a .json file will be downloaded / ready for download (depends on browser settings).
Important! Do not lose this file, or you will have to create another key! The information in this file is what you will input into Apollo for Apollo to leverage your API connection.
Grant Access to your Service Account
Your service account will not be useful without giving it the correct permissions in your GTM and Google Analytics Accounts.
8. Grant access to GTM. Go to https://tagmanager.google.com/ and login with your account.
8.1.1 Find or create the applicable Tag Manager account.
8.1.2 At the very top of the account information panel click the three-dotted menu button and select User Management:
8.1.3 A dialog window will open and at top-right corner of it click the plus icon and select Add users:
8.1.4 Another dialog window will open, in which you have to fill in the service account email address, select the appropriate permissions and click Invite in the top-right corner:
8.1.5 After that you should be redirected to the User Management menu, where the invited service should already has access to your Tag Manager account:
You do not have to accept the invitation, access will be automatically granted to the service account.
8.2 Grant access to Google Analytics. Go to https://analytics.google.com/ and login with your account.
8.2.1 From the left side panel open the menu and click Admin.
8.2.2 From the Admin page, select the correct account. Next, click Account Access Management under Account Settings and follow steps 8.1.3 to 8.1.5.