Admins of customer-hosted instances may be unable to enable actions that support streamed results or that use OAuth if the Looker-hosted Action Hub is not able to communicate with the customer-hosted Looker instance. Users may experience hanging queries when sending or scheduling data to actions that support streamed results and may be unable to configure OAuth actions.
To use Looker integrations, the Looker Action Hub must be able to communicate with the Looker instance and fulfill these requirements.
To address this potential issue, Looker admins can implement one of these solutions:
- Whitelist the egress IP addresses for the Looker Action Hub:
126.96.36.199. These are the static IP addresses from which the Looker Action Hub makes requests to the Looker instance.
- Deploy a customer-hosted action hub specifically for these actions, as described below.
- Ensure that the JAR file is hosted on a public server so that the Looker Action Hub can communicate with it. This is not usually an ideal solution.
Another reason the OAuth and streaming actions might not be useable on customer-hosted Looker instance is if the instance uses an SSL certificate issued by a Certificate Authority (CA) not on this list.
Actions configured to support streamed results or OAuth are denoted in the list of Looker's integrated services on the Admin Settings - Actions documentation page.
This article describes how to spin up a local action hub server to use Looker actions that support streamed results or that use Google OAuth. You can set up your own local action hub server by creating either a container or a Virtual Machine (VM) that hosts a cloned copy of the Looker Action Hub repo code and then following these steps, as described in more detail below:
- Create a container or virtual machine (VM) setup for the action hub server.
- Make Google OAuth credentials.
- Configure the Google OAuth consent screen.
- Set up your environment variables.
- Generate an API key.
- Start the new action hub.
- Add the new action hub to your Looker instance.
Creating a Container or Virtual Machine Setup for the Action Hub Server
Your VM or container should fulfill the following allocation and network requirements and dependencies described below.
Recommended Memory Allocation
Looker recommends allocating 2 threads of CPU/vCPU and at least 2 GB of memory for this container or VM. If you expect heavy usage of your actions, then we advise increasing memory beyond 2 GB.
Your action hub must have either a static IP address or an address that can be resolved via an internal Domain Name System (DNS).
Network connections required include communication between:
- Looker <–> Action Hub
- Google Auth <–> Action Hub
- Internally connected laptop/computer browser –> Action Hub
- Action Hub –> Google Drive servers
When cloning the Looker actions repo into your newly created VM or container:
- Ensure Node 12.13 is installed.
yarn installto pull the necessary packages down.
Once you have your environment set up, you will need to create Google OAuth credentials for your action hub server in Google's APIs console.
Configuring Google OAuth Credentials
To configure Google OAuth credentials for your actions, you'll need to create OAuth credentials and configure an OAuth consent screen.
Creating the Google OAuth Credentials
To make your Google OAuth client ID and client secret:
- Go to the Google APIs console and, from the console dashboard, click CREATE PROJECT:
For more information about creating a project, see the Create a Project developer guide.
- From the console left sidebar, navigate to the Credentials page.
- Click Create Credentials.
- In the drop-down, click OAuth client ID.
- For Application type, select Web application.
- Provide your application name in the Name field.
- Set the Authorized redirect URIs for Google Drive and Google Sheets APIs:
ACTION_HUB_BASE_URLis the address of your Looker instance.
- Click the Create button to generate your OAuth client ID and the OAuth client secret. You will need both of these later.
Next, you will need to configure the OAuth consent screen.
Configuring the OAuth Consent Screen
This page of the Google APIs console allows you to configure a consent screen for all applications in your project, which allows users to grant access to their data as well as gives them a link to any legal or privacy documentation.
To configure the consent screen:
- Click the OAuth consent screen page from the console's left sidebar.
- Enter the name of your application in the Application name field.
- For the Application logo, upload an image file to use on the Oauth consent screen.
- For Support email, enter an email address to display on the Oauth consent screen for user support.
- In the Scopes for Google APIs section, list the types of user data that your application must access. This includes email, profile, OpenID, and
https://mail.google.com. Because this list includes sensitive user information, Google will need to verify your Oauth consent screen before it can be published.
- For the Authorized domains, enter the root domain that your action hub is using.
- Your Application Homepage link should be hosted on the same root domain.
- Optionally, enter a link to your application's terms of service in the Application Terms of Service link field. The link must be hosted on the same root domain.
- Click Save. (Do not click Submit for verification until you complete the rest of the steps in this article.)
Once you have configured your OAuth consent screen, you can return to your terminal window to set your environment variables.
Setting Your Environment Variables
In your VM or container environment, set these environment variables:
ACTION_HUB_LABEL=<your action hub label name> ACTION_HUB_SECRET=<some secret> ACTION_HUB_BASE_URL=<your action hub base address> # For example https://actions.company.com # DO NOT INCLUDE A TRAILING SLASH GOOGLE_SHEET_CLIENT_ID=<OAuth client ID> GOOGLE_SHEET_CLIENT_SECRET=<OAuth client secret> GOOGLE_DRIVE_CLIENT_ID=<OAuth client ID> GOOGLE_DRIVE_CLIENT_SECRET=<OAuth client secret>
You should be able to use the same
OAuth client ID and
OAuth client secret for both Google Drive and Google Sheets. It is best to have both sets of Google API tokens set.
Also the set the encryption key:
CIPHER_MASTER="<hex aes-256 key>"
This key is NOT used for long-term encryption, and is only used for encrypting
state during an OAuth flow. An example of a hex aes-256 key is:
Generating an API Key
To get your API key, run:
Retain this key for later use in the setup. This key is generated based on the
Starting Your Local Action Hub Server
To start your action hub, run:
Adding Your Action Hub to Your Looker Instance
In Looker, navigate to the Actions page under Platform in the Admin panel and scroll to the bottom of the page. Then:
- Click the Add Action Hub button.
- Enter your
ACTION_HUB_BASE_URLand click Add Action Hub. Your action hub should appear under a new heading with its name and
ACTION_HUB_BASE_URL. Your Google Drive and Google Sheets actions should appear under this heading.
- If the connection fails, enter the
api-keythat you generated earlier in the Authorization Token field and click the Refresh link at the top of your action hub heading.
- Enable your Google Drive and Google Sheets actions and verify that they are configured correctly in your action hub.
The next step is to publish the application that you created in the Google API Console. To publish, go to the OAuth consent screen page and click the Submit for verification button. Please note that the application publication process may take some time and require some back and forth with Google.