Connecting Looker (Google Cloud core) to your database
Once your Looker (Google Cloud core) instance has been provisioned, it is listed on theInstances page of your Google Cloud project. Click the instance URL to access andauthenticate in to the instance.
Note: If you are setting up a private connections instance, you will also need to complete the steps that are listed on theCreate a private connections (private services access) Looker (Google Cloud core) instance documentation page to complete your instance configuration.Once you have logged in to your Looker (Google Cloud core) instance, you canset up a database connection to your Looker (Google Cloud core) instance.
Set up a database connection
Looker (Google Cloud core) must be connected to a database to enable data exploration. See thelist of supported dialects to learn which dialects are supported by Looker (Google Cloud core).
You can create a database connection within a Looker (Google Cloud core) instance if you have one of the following permissions:
Note: Looker (Google Cloud core) instances can useBigQuery Quickstart Connection to streamline the connection process to an existing BigQuery project.You can follow theSet up Looker guide that appears dynamically within the Looker (Google Cloud core) instance to connect your database, or you can follow the steps that are listed on thedialect-specific documentation pages. The majority of the settings are common to most database dialects. See theConnecting Looker to your database documentation page for information about common fields in the Looker connection setup window.
There are additional steps if you want to set up your Looker (Google Cloud core) connection with any of the following options:
Private connections: If your Looker (Google Cloud core) instance uses aprivate connections, you must configurePrivate Service Connect orprivate services access (depending on which connection type the instance uses) to connect it to any of the following types of databases:
- A database in a different network within Google Cloud
- A database that is hosted by another cloud service provider
- An on-premises database
To set up a private connection to databases that are hosted by other cloud service providers, ensure that your Google Cloud project is configured to route traffic to those cloud service providers to allow for data exchange. Learn more about connecting cloud environments on thePatterns for connecting other cloud service providers with Google Cloud documentation page.
Authenticate with Application Default Credentials for BigQuery and Cloud SQL databases: Looker (Google Cloud core) instances can useApplication Default Credentials (ADC) to authenticate in to your database, as described in the following sections:
Authenticate to a BigQuery database using OAuth: For BigQuery connections, Looker (Google Cloud core) can use theOAuth application credentials that your Looker admin used when they created the Looker (Google Cloud core) instance. See theConfiguring OAuth authentication with BigQuery section of this page for more information.
Using Application Default Credentials to connect to a BigQuery database
Looker (Google Cloud core) instances can useApplication Default Credentials (ADC) to authenticate when you'resetting up a connection to a BigQuery Standard SQL database. When you use ADC, the connection will authenticate to the database by using the credentials of theLooker (Google Cloud core) project's service account.
To use ADC with a BigQuery database, selectApplication Default Credentials in theAuthentication field of theConnection Settings page of the Looker instance. For the full procedure, see the documentation forconnecting Looker to a BigQuery database.
If your Looker (Google Cloud core) instance usespersistent derived tables with a BigQuery dataset, you must also grant theLooker service account theBigQuery Data Editor Identity and Access Management (IAM) role.
If you're connecting to a BigQuery database that is in a different project from your Looker (Google Cloud core) instance, some additional setup is required. See theUsing Application Default Credentials with a BigQuery database in a different Google Cloud project section.
Service account impersonation
If you want to authenticate to the BigQuery database by using a service account other than the Looker (Google Cloud core) project's service account, you can create adelegated request flow by entering another service account, or a comma-separated chain of service accounts, into theImpersonated Service Account field. The Looker (Google Cloud core) service account is automatically used as the first service account in the chain and does not need to be added to the field. The last service account in the chain (also known as theimpersonated service account) is the one that authenticates with the database.
When using service account impersonation, do the following:
- Enable the Service Consumer Management API.
- Make sure that all service accounts in the chain, including the Looker (Google Cloud core) project's service account,have the appropriate IAM permissions.
- Make sure that the impersonated service account has theBigQuery Job User role and theBigQuery Data Viewer role. If you need to inspect service states and operations, or use quota and billing from a consumer project, theService Usage Consumer role is also required.
- If you have enabledpersistent derived tables (PDTs) for your connection, you must also enter the impersonated service account's email address in theService Account Email Address field within thePDT Overrides section. This ensures that the PDT processes use the impersonated service account. See theEnable PDT Overrides section on theConnecting Looker to your database documentation page for more information.
Using Application Default Credentials with a BigQuery database in a different Google Cloud project
The steps for using ADC for a BigQuery Standard SQL database that is outside the project that houses your Looker (Google Cloud core) instance are the same as those for setting up a connection inside the same project. However, before you can set up the connection in your Looker (Google Cloud core) instance, your Looker (Google Cloud core) project's service account must have the following IAM roles:
- BigQuery Data Viewer role for the project that contains the BigQuery dataset.
- BigQuery Job User role and theService Usage Consumer role on the billing project that's listed on theConnection Settings page.
- If your Looker (Google Cloud core) instance usespersistent derived tables with a BigQuery dataset, the service account must also have theBigQuery Data Editor role for the project that contains the BigQuery dataset.
If the Looker (Google Cloud core) service account doesn't already have IAM roles in the project that contains the BigQuery dataset, use the service account's email address when you grant roles in that project. Tofind the service account's email address, go to theIAM page in the Google Cloud console and select theInclude Google-provided role grants checkbox. The email will have the formatservice-<project number>@gcp-sa-looker.iam.gserviceaccount.com. Use that email togrant the proper roles to the service account.
Once the proper roles are granted, follow thesteps to use ADC.
You can now use ADC with this BigQuery Standard SQL database. The project attached to the service account that is specified in theConnection Settings page will be used for billing and also act as the default project.
Using Application Default Credentials to connect to a Cloud SQL database
Looker (Google Cloud core) instances can useADC to authenticate a connection to a Cloud SQL database (eitherCloud SQL for PostgreSQL orCloud SQL for MySQL). When you use ADC to authenticate in to your Cloud SQL database, the Google Cloud project where the Cloud SQL database is running is the project that is billed for Looker queries.
For Looker connections to Cloud SQL that use ADC, ADCimpersonates a service account or a chain of service accounts to access your database. When youcreate the Looker connection to your database, you use theIAM database username(s) field to specify the service account, or the chain of service accounts, that ADC will impersonate. TheLooker service account that was created automatically when you created the Looker (Google Cloud core) instance is automatically used as the first service account in the chain and does not need to be added to the field.
If you want to authenticate to your Cloud SQL database by using a service account other than the Looker service account, you can create adelegated request flow by entering anotherservice account, or a comma-separated chain of service accounts, into theIAM database username(s) field.
The last service account in the chain (also known as theimpersonated service account) is the one that authenticates with the database, and this account must be added as a user on your Cloud SQL database. If you are using the Looker service account as the last service account in the chain (by leaving theIAM database username(s) field blank), you must add the Looker service account as a user on your Cloud SQL database.
The following are the general steps for connecting a Cloud SQL for PostgreSQL or Cloud SQL for MySQL database to Looker using ADC:
- Add the impersonated service account to your Cloud SQL database.
- Set up service account impersonation on your Cloud SQL database.
- Connect to your database to run additional configuration commands forCloud SQL for PostgreSQL orCloud SQL for MySQL.
- Create the Looker connection to your database.
Add the impersonated service account to your Cloud SQL database
When youcreate the Looker connection to your database, you use theIAM database username(s) field to specify the service account, or the chain of service accounts, that ADC willimpersonate to perform actions on your database. The last service account in the impersonation chain is considered theimpersonated service account.
To use ADC with Cloud SQL, you must add the impersonated service account to your Cloud SQL database:
- In the default case, if you leave theIAM database username(s) field blank, ADC will impersonate the Looker service account. In this case, the Looker service account is the impersonated service account, so you need to add the Looker service account to your Cloud SQL database. See theCreate a Looker (Google Cloud core) instance documentation page for information about the Looker service account and for the procedure for viewing the Looker service account email address.
- If you specify a service account other than the Looker service account, or if you specify a chain of service accounts in theIAM database username(s) field, you must add the last service account in the impersonation chain to your Cloud SQL database.
To add a service account to your Cloud SQL database, you must have theCloud SQL Admin IAM role.
Follow the "Add an IAM user or service account to your database instance" procedure for your database dialect to add the impersonated service account to your Cloud SQL database:
Set up service account impersonation on your Cloud SQL database
Once you have created the Cloud SQL user on your database, you must set up your Cloud SQL database for service impersonation by performing the following steps:
- Follow the procedure toenable the Cloud SQL Admin API.
- Make sure that all service accounts in the chain, including the Looker service account,have the appropriate IAM permissions.
Follow the procedure forgranting a single role in the Google Cloud console. Grant the followingCloud SQL roles to the impersonated service account that youadded to your Cloud SQL database:
If you specify a service account other than the Looker service account, or if you specify a chain of service accounts in theIAM database username(s) field, grant every service account in the chain the following permission:
Additional configuration commands for Cloud SQL for MySQL
For Cloud SQL for MySQL, you mustconnect to your database instance and run the following command on the Cloud SQL for MySQL database:
GRANT ALL onDATABASE_NAME.* to 'DATABASE_USER'@'%'Replace the following:
- DATABASE_NAME: The name of your database.
- DATABASE_USER: The truncated service account username for the impersonated service account that youadded to your Cloud SQL database. The service account will have the format
service-<project number>@gcp-sa-looker.iam.gserviceaccount.com. Truncate the username by removing the@and everything that follows. After truncating, the username would look likeservice-<project number>.
For example, if the service account username isservice-12345678901@gcp-sa-looker.iam.gserviceaccount.com and the database name islooker-test, the command would be as follows:
GRANT ALL on looker-test.* to 'service-12345678901'@'%'Additional configuration commands for Cloud SQL for PostgreSQL
For Cloud SQL for PostgreSQL, you mustconnect to your database instance and run some configuration commands on the Cloud SQL for PostgreSQL database:
- Grant the user permissions on your database as described in theUsers and security section of the PostgreSQL documentation page.
- Set the search path for the Looker SQL Runner to use to retrieve metadata from your database, as described in theSetting the
search_pathsection of the Looker documentation PostgreSQL page.
Create the connection from Looker (Google Cloud core) to your Cloud SQL database
To create the connection from Looker to your database, follow these steps:
- In theAdmin section of Looker, selectConnections, and then clickAdd Connection.
- From theDialect drop-down menu, selectGoogle Cloud PostgreSQL or, for Cloud SQL for MySQL, selectGoogle Cloud SQL.
- In theAuthentication section, click theApplication Default Credentials option.
In theIAM database username(s) field, specify the service account, or the chain of service accounts, that you want ADC toimpersonate to perform actions on your database:
- If you want Looker to authenticate to the Cloud SQL database by using theLooker (Google Cloud core) project's service account, leave this field blank.
- If you want Looker to authenticate to the Cloud SQL database by using a service account other than the Looker (Google Cloud core) project's service account, you can create adelegated request flow by entering anotherservice account, or a comma-separated chain of service accounts.
Fill out the rest of the connection details. The majority of the settings are common to most database dialects. See theConnecting Looker to your database documentation page for information.
To verify that the connection is successful, clickTest. See theTesting database connectivity documentation page for troubleshooting information.
To save these settings, clickConnect.
Once a database connection is set up, you are ready toset up a LookML project.
Configuring OAuth authentication with BigQuery
To configure OAuth authentication for connections to a BigQuery database on a Looker (Google Cloud core) instance, follow these steps:
- UnderAuthentication, selectOAuth. Looker (Google Cloud core) defaults to using the OAuth application credentials that your Looker admin used when theycreated the Looker (Google Cloud core) instance. You don't need to manually create or enter a client ID and secret.
- Add an additional redirect URI to theAuthorized redirect URIs field in the instance's OAuth client (or create a new OAuth client with the credentials and add a redirect URI). The redirect URI must use the Looker instance's URL followed by
/external_oauth/redirect. For background information, see thegenerating OAuth credentials for BigQuery documentation.
If you want to manually enter different OAuth credentials for this connection, enable theManually configure OAuth credentials toggle, and then fill out theOAuth Client ID andOAuth Client Secret fields. If you manually enter OAuth credentials, that won't change or update the credentials that were used when the Looker (Google Cloud core) instance was created. Follow the steps in theConfiguring a BigQuery database project for OAuth documentation to create and use different credentials.
Supported dialects for Looker (Google Cloud core)
The following table shows the Looker (Google Cloud core) support for database dialects:
| Dialect | Supported? |
|---|---|
| Actian Avalanche | |
| Amazon Athena | |
| Amazon Aurora MySQL | |
| Amazon Redshift | |
| Amazon Redshift 2.1+ | |
| Amazon Redshift Serverless 2.1+ | |
| Apache Druid | |
| Apache Druid 0.13+ | |
| Apache Druid 0.18+ | |
| Apache Hive 2.3+ | |
| Apache Hive 3.1.2+ | |
| Apache Spark 3+ | |
| ClickHouse | |
| Cloudera Impala 3.1+ | |
| Cloudera Impala 3.1+ with Native Driver | |
| Cloudera Impala with Native Driver | |
| DataVirtuality | |
| Databricks | |
| Denodo 7 | |
| Denodo 8 & 9 | |
| Dremio | |
| Dremio 11+ | |
| Exasol | |
| Google BigQuery Legacy SQL | |
| Google BigQuery Standard SQL | |
| Google Cloud AlloyDB for PostgreSQL | |
| Google Cloud PostgreSQL | |
| Google Cloud SQL | |
| Google Spanner | |
| Greenplum | |
| HyperSQL | |
| IBM Netezza | |
| MariaDB | |
| Microsoft Azure PostgreSQL | |
| Microsoft Azure SQL Database | |
| Microsoft Azure Synapse Analytics | |
| Microsoft SQL Server 2008+ | |
| Microsoft SQL Server 2012+ | |
| Microsoft SQL Server 2016 | |
| Microsoft SQL Server 2017+ | |
| MongoBI | |
| MySQL | |
| MySQL 8.0.12+ | |
| Oracle | |
| Oracle ADWC | |
| PostgreSQL 9.5+ | |
| PostgreSQL pre-9.5 | |
| PrestoDB | |
| PrestoSQL | |
| SAP HANA | |
| SAP HANA 2+ | |
| SingleStore | |
| SingleStore 7+ | |
| Snowflake | |
| Teradata | |
| Trino | |
| Vector | |
| Vertica |
Database configuration instructions
Instructions are available for these SQL dialects:
Note: The following links navigate to the instructions for Looker (original) database connections, but they apply to Looker (Google Cloud core) as well.What's next
- Configure a Looker (Google Cloud core) instance
- Manage users within Looker (Google Cloud core)
- Administer a Looker (Google Cloud core) instance from the Google Cloud console
- Looker (Google Cloud core) admin settings
- Use the sample LookML project on a Looker (Google Cloud core) instance
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.