Skip to main content
Docs
Feature Requests Onboarding Trust Center Status Page

Community

Connector Improvement: Google Ads connector should support authentication via google service account

Answered
Ivan VenOsdel User

Currently there are only one of two ways to authenticate the google_ads connector:

  1. Authenticate with a fivetran administrator's google account: This not only requires giving otherwise unnecessary permissions to our Fivetran administrators but also exposes us to the risk of the connection breaking when that employee leaves the company.
  2. Create a dummy google account to authenticate with: This costs us extra money as it takes up a seat within our google cloud account. It's also not the most secure and difficult to manage.

We would greatly prefer to authenticate the google_ads connector using a Cloud Service Account (IAM), which authenticates programmatically using a JSON key file (JWT) and does not have a password or require a browser-based login.

Unfortunately that is not supported by the Fivetran google_ads connector even though your other google connectors do support it. This method is critical for our security and stability because:

  1. Stability: It creates a robust server-to-server connection that is immune to employee turnover or refresh token expiries caused by password resets.

  2. Best Practice: Google explicitly recommends Service Accounts for automated server-to-server interactions.

  3. Consistency: Fivetran already supports this exact CUSTOM_SERVICE_ACCOUNT authentication method for other connectors, such as Google Sheets and Google Cloud Storage.

We would strongly prefer to use this native, secure method rather than maintaining a dummy user account or, worse, authenticating with a fivetran adminstrator account. Thank you.

Please sign in to leave a comment.

Comments

2 comments

Date Votes
  • Official comment
    Lucas Alexander Fivetranner

    Hi Ivan,

    Thank you for submitting this feature request and providing all of this context/detail. Your input helps us improve the product.

    We're actively developing a feature to support service account-based authentication on our Google Ads connector (and other Google connectors). However, we are focused on implementing it as we did for the Google Sheets connector.

    When this authentication method is selected in the setup form, Fivetran will generate a service account email. The email will follow the pattern g-[group_id]@fivetran-production.iam.gserviceaccount.com, where [group_id] is the connection's group ID. The user will need to add that service account email to their Google Ads account to grant access. This is slightly different than the method you described, where the user provides a JWT. But it is the same method we support og Google Sheets.

    Would that address your use case?

    Thanks,
    Luke

  • Ivan VenOsdel User

    Thank you Lucas. Yes, I think that should work in theory.