How to Set Up Google Cloud for Search Console API Access
When I tried to access Google Search Console API to fetch my website’s search performance data, I got this error:
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials.Please explicitly create credentials and set the GOOGLE_APPLICATION_CREDENTIALS environment variableor run `gcloud auth application-default login` to obtain Application Default Credentials.Environment
- Python 3.11
- google-auth 2.23.0
- google-api-python-client 2.100.0
- macOS 14.0
What happened?
I wanted to programmatically access my website’s search analytics from Google Search Console. I found that Google requires Google Cloud Platform setup before you can use the Search Console API.
Here’s my initial Python code:
from google.oauth2 import service_accountfrom googleapiclient.discovery import build
# I thought this would work directlycredentials = service_account.Credentials.from_service_account_file( 'credentials.json', scopes=['https://www.googleapis.com/auth/webmasters.readonly'])
service = build('searchconsole', 'v1', credentials=credentials)response = service.searchanalytics().query( siteUrl='https://example.com', body={'startDate': '2024-01-01', 'endDate': '2024-01-31'}).execute()But when I ran this, I got the credentials error. I didn’t even have a credentials.json file yet.
How to solve it?
I realized I needed to set up Google Cloud first. Here’s the step-by-step process I followed.
Step 1: Create a Google Cloud Project
I went to Google Cloud Console and clicked the project selector at the top. Then I clicked “New Project”:
Project name: search-console-apiProject ID: search-console-api-12345 (auto-generated)I clicked “Create” and waited about 30 seconds for the project to be created.
Step 2: Enable the Search Console API
Next, I needed to enable the API. I navigated to “APIs & Services” > “Library” in the left sidebar.
I searched for “Search Console API”:
Search: Search Console API
Result: Google Search Console APIDescription: View Google Search Console data for your verified sites.I clicked on the result and then clicked “Enable”. The API took about 10 seconds to enable.
Step 3: Create a Service Account
Now I needed credentials. I went to “IAM & Admin” > “Service Accounts”:
Step 1: Service account name: search-console-sa Service account ID: search-console-sa (auto-generated) Description: Access Search Console API
Step 2: (skipped - no roles needed yet)
Step 3: (skipped - no user access)I clicked “Done” to create the service account.
Step 4: Generate Service Account Credentials
This was the critical step. I clicked on my newly created service account, then went to the “Keys” tab:
Add Key > Create New KeyKey type: JSONI selected JSON format and clicked “Create”. Google downloaded a file named search-console-api-12345-abc123.json:
{ "type": "service_account", "project_id": "search-console-api-12345", "private_key_id": "abc123...", "private_key": "-----BEGIN PRIVATE KEY-----\n...", "client_email": "search-console-sa@search-console-api-12345.iam.gserviceaccount.com", "client_id": "123456789", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..."}I renamed this to credentials.json and stored it securely in my project directory.
Step 5: Authorize Service Account in Search Console
This is the step I initially missed, which caused a 403 permission error. I went to Google Search Console, selected my property, and navigated to “Settings” > “Users and permissions”.
I clicked “Add user” and pasted the client_email from my JSON file:
Email: search-console-sa@search-console-api-12345.iam.gserviceaccount.comPermissions: Full (recommended for API access)I clicked “Add” and the service account now had access to my Search Console data.
Step 6: Configure Authentication
For local development, I tried using gcloud CLI:
# Install gcloud CLI first (if not installed)# Then authenticateuser@macbook:~$ gcloud auth application-default loginYour browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?...
You are now authenticated with the Google Cloud SDK.But I realized Application Default Credentials don’t work well with service accounts. For production use, I set the environment variable:
user@macbook:~$ export GOOGLE_APPLICATION_CREDENTIALS="/path/to/credentials.json"Now I updated my Python script to use the credentials:
from google.oauth2 import service_accountfrom google.auth.transport.requests import Requestfrom googleapiclient.discovery import build
# Load credentials from filecredentials = service_account.Credentials.from_service_account_file( 'credentials.json', scopes=['https://www.googleapis.com/auth/webmasters.readonly'])
# Refresh credentials if neededcredentials.refresh(Request())
# Build the serviceservice = build('searchconsole', 'v1', credentials=credentials)
# Query search analyticsresponse = service.searchanalytics().query( siteUrl='https://example.com', body={ 'startDate': '2024-01-01', 'endDate': '2024-01-31', 'dimensions': ['query'], 'rowLimit': 100 }).execute()
print(f"Found {len(response.get('rows', []))} queries")When I ran this:
user@macbook:~$ python fetch_search_data.pyFound 87 queriesIt worked! I successfully accessed Search Console data through the API.
The reason
I think the key reason for the initial error was the missing Google Cloud infrastructure:
- Google Search Console API requires Google Cloud authentication infrastructure
- Service accounts provide a secure way to authenticate without user login
- The service account must be explicitly authorized in Search Console (not just Google Cloud)
- Credentials must be properly configured via environment variable or explicit file path
The flow looks like this:
Google Cloud Console │ ├─→ Create Project │ ├─→ Enable Search Console API │ ├─→ Create Service Account │ └─→ Download JSON Credentials │ │Google Search Console │ └─→ Add Service Account Email as User │ │Your Application │ ├─→ Configure Authentication (env var or file) │ └─→ Access Search Console DataCommon Mistakes
I made several mistakes during this setup:
-
Not enabling the API first - I tried to create credentials before enabling the API. Google Cloud won’t let you create proper credentials for disabled APIs.
-
Skipping Search Console authorization - This was my biggest mistake. I thought creating the service account in Google Cloud was enough. But the service account needs explicit permission in Search Console itself.
-
Using Application Default Login for service accounts -
gcloud auth application-default loginis for user authentication, not service accounts. I needed to useGOOGLE_APPLICATION_CREDENTIALSinstead. -
Not protecting credentials.json - I initially added this file to git. Never commit service account credentials. I added it to
.gitignore:
# Google Cloud credentialscredentials.json*.json
# Environment files.envSummary
In this post, I showed how to set up Google Cloud Platform for Search Console API access. The key point is creating a service account in Google Cloud, downloading JSON credentials, and authorizing that service account email directly in Search Console settings. This process is tedious but necessary for programmatic access to search performance data.
Final Words + More Resources
My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
- 👨💻 Google Cloud SDK Documentation
- 👨💻 Search Console API Quickstart
- 👨💻 Google OAuth 2.0 Scopes
- 👨💻 Reddit Discussion: Google Cloud Setup Friction
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!
Comments