Problem
Admins of customer-hosted instances may be unable to enable actions that support streamed results or that use OAuth if the Looker-hosted Action Hub is not able to communicate with the customer-hosted Looker instance. Users may experience hanging queries when sending or scheduling data to actions that support streamed results and may be unable to configure OAuth actions.
Solution
To use Looker integrations, the Looker Action Hub and the Looker instance must be able to communicate with one another. Admins of customer-hosted instances may consult the recommendations described in the Considerations for customer-hosted instances section of the Sharing data through an action hub documentation for solutions that are appropriate for their instance architecture.
Another reason the OAuth and streaming actions might not be usable on customer-hosted Looker instance is if the instance uses an SSL certificate issued by a Certificate Authority (CA) not on this list.
Actions configured to support streamed results or OAuth are denoted in the list of Looker's integrated services on the Admin Settings - Actions documentation page.
This article describes how to spin up a local action hub server to use Looker actions that support streamed results or that use Google OAuth. You can set up your own local action hub server by creating either a container or a virtual machine (VM) that hosts a cloned copy of the Looker Action Hub repo code and then following these steps, as described in more detail below:
- Create a container or VM setup for the action hub server.
- Make Google OAuth credentials.
- Configure the Google OAuth consent screen.
- Set up your environment variables.
- Generate an API key.
- Start the new action hub.
- Add the new action hub to your Looker instance.
Creating a container or virtual machine setup for the action hub server
Your VM or container should fulfill the following allocation and network requirements and dependencies described below.
Recommended memory allocation
Looker recommends allocating 2 threads of CPU/vCPU and at least 2 GB of memory for this container or VM. If you expect heavy usage of your actions, then we advise increasing memory beyond 2 GB.
Network requirements
Your action hub must have either a static IP address or an address that can be resolved via an internal Domain Name System (DNS).
Required network connections include communication between:
- Looker <–> Action Hub
- Google Auth <–> Action Hub
- Internally connected laptop/computer browser –> Action Hub
- Action Hub –> Google Drive servers
Required dependencies
When cloning the Looker actions repo into your newly created VM or container:
- Ensure that Node 12.13 is installed.
- Run
yarn install
to pull the necessary packages down.
Once you have your environment set up, you will need to create Google OAuth credentials for your action hub server in Google's APIs console.
Configuring Google OAuth credentials
To configure Google OAuth credentials for your actions, you'll need to create OAuth credentials and configure an OAuth consent screen.
Creating the Google OAuth credentials
To make your Google OAuth client ID and client secret:
- Go to the Google APIs console and, from the console dashboard, click CREATE PROJECT:
For more information about creating a project, see the Create a Project developer guide.
- From the console left sidebar, navigate to the Credentials page.
- Click Create Credentials.
- In the drop-down, click OAuth client ID.
- For Application type, select Web application.
- Provide your application name in the Name field.
- In the Restrictions section, set Authorized JavaScript origins to the root Looker application address that you use internally.
- Set the Authorized redirect URIs for Google Drive and Google Sheets APIs:
https://<ACTION_HUB_BASE_URL>/actions/google_sheets/oauth_redirect https://<ACTION_HUB_BASE_URL>/actions/google_drive/oauth_redirect
whereACTION_HUB_BASE_URL
is the address of your Looker instance. - Click the Create button to generate your OAuth client ID and the OAuth client secret. You will need both of these later.
Next, you will need to configure the OAuth consent screen.
Configuring the OAuth consent screen
This page of the Google APIs console allows you to configure a consent screen for all applications in your project, which allows users to grant access to their data as well as gives them a link to any legal or privacy documentation.
To configure the consent screen:
- Click the OAuth consent screen page from the console's left sidebar.
- Enter the name of your application in the Application name field.
- For the Application logo, upload an image file to use on the Oauth consent screen.
- For Support email, enter an email address to display on the Oauth consent screen for user support.
- In the Scopes for Google APIs section, list the types of user data that your application must access. This includes email, profile, OpenID, and
https://mail.google.com
. Because this list includes sensitive user information, Google will need to verify your Oauth consent screen before it can be published. - For the Authorized domains, enter the root domain that your action hub is using.
- Your Application Homepage link should be hosted on the same root domain.
- Enter a link to your application's privacy policy in the Application Privacy Policy link field. The link must be hosted on the same root domain.
- Optionally, enter a link to your application's terms of service in the Application Terms of Service link field. The link must be hosted on the same root domain.
- Click Save. (Do not click Submit for verification until you complete the rest of the steps in this article.)
Once you have configured your OAuth consent screen, you can return to your terminal window to set your environment variables.
Setting your environment variables
In your VM or container environment, set these environment variables:
ACTION_HUB_LABEL=<your action hub label name> ACTION_HUB_SECRET=<some secret> ACTION_HUB_BASE_URL=<your action hub base address> # For example https://actions.company.com # DO NOT INCLUDE A TRAILING SLASH GOOGLE_SHEET_CLIENT_ID=<OAuth client ID> GOOGLE_SHEET_CLIENT_SECRET=<OAuth client secret> GOOGLE_DRIVE_CLIENT_ID=<OAuth client ID> GOOGLE_DRIVE_CLIENT_SECRET=<OAuth client secret>
You should be able to use the same OAuth client ID
and OAuth client secret
for both Google Drive and Google Sheets. It is best to have both sets of Google API tokens set.
Also set the encryption key:
CIPHER_MASTER="<hex aes-256 key>"
This key is NOT used for long-term encryption, and is only used for encrypting state
during an OAuth flow. An example of a hex aes-256 key is:
.C4EFBBE2C364248419776459A00F2F4017CE77E29D9E8F64940687EA440A0CC9
Generating an API key
To get your API key, run:
yarn generate-api-key
Retain this key for later use in the setup. This key is generated based on the ACTION_HUB_SECRET
.
Starting your local action hub server
To start your action hub, run:
yarn start
Adding your action hub to your Looker instance
In Looker, navigate to the Actions page under Platform in the Admin panel and scroll to the bottom of the page. Then:
- Click the Add Action Hub button.
- Enter your
ACTION_HUB_BASE_URL
and click Add Action Hub. Your action hub should appear under a new heading with its name andACTION_HUB_BASE_URL
. Your Google Drive and Google Sheets actions should appear under this heading. - If the connection fails, enter the
api-key
that you generated earlier in the Authorization Token field and click the Refresh link at the top of your action hub heading. - Enable your Google Drive and Google Sheets actions and verify that they are configured correctly in your action hub.
Next step
The next step is to publish the application that you created in the Google API Console. To publish, go to the OAuth consent screen page and click the Submit for verification button. Please note that the application publication process may take some time and require some back and forth with Google.