Open in app

Sign in

Write

Sign in

Create a Report Inventory with Looker Studio Pro

Francesco Viganò
Google Cloud - Community
Published in
7 min readJul 28, 2023

INTRODUCTION

Looker Studio Pro enables organizations to retrieve all assets (reports, data sources) through APIs. All assets within an organization are accessible to Looker Studio editors or viewers defined at the organizational level, allowing them to list all available assets and check which users and groups those assets have been shared with.

In this article I will show how to configure a GCP project and the Looker Studio organization to create an inventory of all reports and data sources available both in personal and shared workspaces.

MEET THE LOOKER STUDIO ASSET MANAGER

Let me introduce Lorenzo, a fictitious character that has recently joined the organization. One of his tasks is to identify all reports that have been created over the years.

Lorenzo accesses Looker Studio and since this is the first time he logs in with his brand new credentials

Apparently he has no access to any resource, so to accomplish his mission he needs to do something else!

Lorenzo has learned about Looker Studio Pro features and Looker Studio APIs, so he decides to create a Python application to meet his goals.

BECOME LOOKER STUDIO ASSET EDITOR

Since the company has already activated Looker Studio Pro and linked a GCP project (see documentation), Lorenzo asks the project Owner to be configured as Data Studio Asset Editor in the GCP project.

Now Lorenzo is allowed to View and Edit all assets defined within the Looker Studio Pro organization, no matter where they are stored (see also this page).

Data Studio Asset Editor will allow Lorenzo to also modify report sharing configuration and, if required, move reports to team workspaces.

AUTHENTICATE WITH GOOGLE SDK

To start using the APIs, Lorenzo needs to authenticate using Google SDK. To do so, he follows these instructions to authorize an app and Google admin console to further provide all required authorizations.

NOTE: I provide some detailed instructions with screenshots in the APPENDIX if you need some reference guide. Follow all the instructions!

Please see Google official documentation for more information about OAuth 2.0.

Once the app has been authorized, Lorenzo follows these instructions to create a virtual environment and install Google API Client Python library.

He also imports some libraries:

import os
import requests
import hashlib
from google_auth_oauthlib.flow import Flow
import google.auth.transport.requests
from urllib.parse import unquote
import re
import socket
import sys

and authenticates using the Python SDK:

scopes=["https://www.googleapis.com/auth/datastudio","https://www.googleapis.com/auth/userinfo.profile"]
client_secrets_path="PATH_TO_YOUR_CLIENT_CREDENTIALS"
_SERVER = "studio.vigano.com" # your redirect url without https
_PORT = 80 #http port
_REDIRECT_URI = f"http://{_SERVER}:{_PORT}"
flow = Flow.from_client_secrets_file(client_secrets_path, scopes=scopes)
flow.redirect_uri = _REDIRECT_URI
passthrough_val = hashlib.sha256(os.urandom(1024)).hexdigest()
authorization_url, state = flow.authorization_url(
  access_type="offline",
  state=passthrough_val,
)
print("Paste this URL into your browser: ")
print(authorization_url)
print("\nWaiting for authorization and callback to: {}".format(_REDIRECT_URI))
code = unquote(get_authorization_code(passthrough_val))
flow.fetch_token(code=code)

NOTE:

  • We are using the function get_authorization_code . Function code is available in this public repository. You can copy and adapt to your needs.
    Essentially the function creates a socket to handle the HTTP request containing auth tokens.
    Notice that the _SERVER is the same URL (without http) specified in the allower redirect URLs when we created our credentials (see APPENDIX also to configure the hosts file).
  • The function also calls another function (parse_raw_query_params) defined in the same repository.
  • Your code should access the downloaded json credentials file (see APPENDIX for more information).

Another end to end example is available here.

When Lorenzo executes the code, he obtains a URL that he copies and pastes in a web browser. After authenticating with his credentials, the code collects the token required to interact with Looker Studio APIs.

LIST ALL LOOKER STUDIO ASSETS

With the token, Lorenzo extracts all reports by calling the Assets:search API as follows:

headers={}
headers ["Authorization"] = 'Bearer ' +flow.credentials.token
params = {'assetTypes': ['REPORT'],'pageSize':MAXREPORTS}
r = requests.get('https://datastudio.googleapis.com/v1/assets:search', headers=headers,params=params,)

NOTE:

  • assets:search does not support pagination. Use a MAXREPORTS big enough to extract all your assets
  • if you want to extract data sources, just replace REPORT with DATA_SOURCE (see AssetType). The API accepts a single asset type or it returns an empty result.

For instance Lorenzo can print all extracted assets as follows:

if r.status_code == 200:
  json_response=r.json()
  assets =json_response["assets"]
  for asset in assets :
    print(asset)

NOTE: refer to the asset documentation for a reference of all relevant fields returned by the API for each asset. Notice that the asset identifier is name.

Just adapting the code, Lorenzo extracts all required information with almost no effort.

ALL ASSETS NOW AVAILABLE IN THE UI

Just after listing all assets, Lorenzo now refreshes the Looker Studio portal. All reports are now listed, so he interacts with them, moves reports to proper team workspaces or changes report sharing settings.

EXTRACTING AND MANAGING RIGHTS WITH APIs

The UI is nice, but over the years the organization has created thousands of reports and Lorenzo is required to bring some order, especially avoiding that untrusted reports are widely shared.

First of all, Lorenzo extracts all permissions associated to assets returned by Asset:search with the get method:

asset = #put here how the asset id is initialized
r = requests.get('https://datastudio.googleapis.com/v1/assets/{}/permissions'.format(asset), headers=headers)

If needed, Lorenzo can revoke permissions of a given set of users as follows:

members =['user:ls-user@myorganization.com']
r = requests.post('https://datastudio.googleapis.com/v1/assets/{}/permissions:revokeAllPermissions'.format(asset), headers=headers, data={'members' : members})
r.json()

NOTE: check the Member object to understand how prefixes are used by the API.

Similarly he adds new permissions with the Permissions:addMember method

FINAL COMMENTS

Lorenzo has now gained visibility over all Reports and Data Sources defined within his organization. Using Looker Studio Audit Log Events he can monitor what reports are created, edited or shared, being also able to monitor where reports are stored (personal workspaces, team workspaces).

APPENDIX — CREATE CREDENTIALS and AUTHORIZE APP

In this section we provide some detailed instructions to configure your app.

0. [Optional Step] Create a GCP project

Optional step. You can use any existing GCP project.

1. Activate Looker Studio APIs

After selecting the new project, search for Looker studio APIs (datastudio.googleapis.com) and activate

You should now see that the APIs have been enabled in this project.

2. Create Credentials

Using the link provided by the UI when you enable the APIs, let us now create credentials to interact with them.

Follow the wizard using the same options unless specified otherwise.

Choose the app name and provide email addresses of people in your organization that can be reached if support is needed.

Leave defaults in scopes and continue with the wizard

Let us now define the OAuth Client ID. Notice that I have added http://studio.vigano.com as a redirect URI since in my code I will create a local service to gather credentials generated during the authentication process.

Since in my code I am referring to a local service, we need to map studio.vigano.com to my local computer. To do so, the easiest way is to modify your hosts file (or similar configuration depending on your operative system) adding an entry like

127.0.0.1 studio.vigano.com

Unfortunately the Looker Studio APIs do not allow you to specify localhost (127.0.0.1) as redirect URL nor another IP address.

Once you are familiar with the process, you might consider here a different configuration that best meets your requirements and use cases.

When you select the Create button, your credentials will be created. Copy the Client ID and download your credentials as a json file. You can also close the wizard selecting Done.

3. Authorize App

Go to admin.google.com and find domain-wide delegation (Security > API Controls > Domain-wide Delegation) and click Add new

Let us now add the Client ID copied in the previous step and these two APIs in the OAuth scopes

Remember to authorize the client and you should now able to see your application among authorized apps.

Now you can proceed to create a new authentication token and interact with Looker Studio APIs.

Looker Studio
Data
Google Cloud Platform

--

--

Francesco Viganò
Google Cloud - Community

Written by Francesco Viganò

16 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams