Enhancing Security and Automation with Service Accounts in Looker

As Looker continues to evolve, we wanted to share upcoming changes to how API credentials and automated workflows are managed. These updates are designed to expand our security capabilities, improve the auditability of your instance, and further align Looker’s authentication model with industry standards.

Starting in January 2026 with Looker version 26.0, we are introducing Service Accounts for Looker (original). This new functionality will separate human users from machine users, providing a secure, dedicated identity for applications. This new service account user type will become the standard for all API-based integrations and automated workflows.

Note: Service Accounts are already available and remain the standard for Looker Core on Google Cloud instances.

The Roadmap: What to Expect

Today, customers may be using API keys attached to “dummy” users, or artificial users with no true login or password. As part of this launch, customers should plan to migrate these “dummy users” to Service Accounts. To provide ample time for migration and testing, we are rolling out these changes in two phases.

Phase 1: Launch of Service Accounts (January 2026 in Looker version 26.0)

• New Feature: Admins can now create Service Accounts in the Users panel.

• Migration Tools: We are introducing features to help you identify potential “dummy users” (e.g., users with no IDP login or password) and easily migrate them to Service Accounts.

• Action Required: Begin auditing your user list and migrating any API-only workflows to the new Service Accounts.

Phase 2: Security Enforcement & Deprecation (April 20, 2026)

• Deprecation: 90 days after the launch of Service Accounts, Admins will no longer be able to manage API credentials for standard users.

  • Admins will only manage credentials for Service Accounts.

  • Standard users will be solely responsible for creating, viewing, and deleting their own API credentials.

• Goal: This ensures that a human user’s credentials are known only to that user, eliminating the risk of undetectable or traceable Admin impersonation.

Best Practices for the Transition

To ensure a smooth transition and avoid disruptions, we recommend adopting the following best practices immediately:

• Audit and Migrate Early: Do not wait. Use the new identification tools in the Admin panel to find users that look like service accounts (e.g., names like “Looker Bot” or “Embed User”). Migrate these to official Service Accounts during Phase 1.

Note: Migration is not reversible for that specific user entity, so ensure the account is indeed a machine user before converting.

• Adopt a “Least Privilege” Model: Service Accounts are the perfect opportunity to tighten security. Since these accounts are often used for specific tasks (like rendering a dashboard for an embed), ensure they are granted only the permissions required for that specific task, rather than blanket Admin privileges.

Next Steps

The ability to create Service Accounts will appear in your instance in January 2026 as part of the 26.0 release. We encourage all administrators to start moving their API automations to this new, more secure standard as soon as possible.

By migrating to Service Accounts, you aren’t just “keeping the lights on”—you are actively securing your data ecosystem and ensuring that every action in Looker is properly authenticated and attributable.

Thanks very much for this update Tarunima!

Would you be able to provide any link to documentation on this new account type please?
We currently have thousands of Embed User accounts with a few dozen Standard User accounts. I was due to create new Standard User accounts with API credentials, as Embed Users are not currently supported by Looker Conversational Analytics API.

Can this new Service Account type support Looker CA API while also maintaining the unique property attributes of a user such as Business ID (a User Setting) please?

Hey @Tarunima , thanks for the news!

In our API use cases, what would really help too is the ability to provide User Attributes dynamically when using Run Inline Query for instance. In a multi-tenant setup, we currently need to use workarounds to provide the expected tenant context, while it could be achieved directly using a User Attributes in the API call.

If you have any insights on how to achieve it properly using API or planned changes around this please let me know!

Hi @cormac_dullagha
Please find the link to the documentation here.
If these are non-physical users, intended to use the Looker Application only via API’s, we would recommend to create these as Service accounts rather than API users. Service Account type will be supported by the Looker CA API and also have user attribute pairing which can be setup based on your business context.

@NicoG07 Thank you for this feedback.

Currently, Looker enforces a Stateful Security Model. For governance and Row-Level Security integrity, User Attributes are bound to the Session (Access Token) rather than the Transaction (Query). This ensures that a query cannot inadvertently override security policies defined for the user context.

While we do not have immediate plans to allow attribute injection directly in the query body, the standard pattern to achieve this multi-tenant isolation without creating permanent users is the ‘Just-in-Time’ Token Flow:

1. Auth Step: Use your Service Account to request a user-specific session (login_user), injecting the required User Attributes (e.g., tenant_id) at this stage.

2. Query Step: Use the resulting Access Token to execute run_inline_query.

@Tarunima Thank you for the reply!

Can you please elaborate on the “injecting the required User Attributes” part using login_user ? As it seems, this currently only accepts user_id in the request, which needs to be an Embed User.

This currently forces us to have an Embed User for each tenant and get the associated ID each time, while we could, as you suggested, simply get a session using a login route (using the Service Account client_id/client_secret) and provide the expected context using User Attributes.

Looking forward to hearing back from you!

@Tarunima did you have any time to check my question regarding this specific step ? This is currently the blocker for us to have a proper way to handle our multi-tenancy use case with Looker Service Accounts and it would be awesome if we can have guidance on how this can be properly achieved using Looker’s API.

Thank you very much!

@NicoG07 Apologies for missing this earlier.
You are absolutely right—I should clarify the login_user flow. The login_user endpoint is designed for impersonating an existing user and does not support dynamic attribute injection in the request body.
For your multi-tenant API use case, where you want to provide context (like tenant_id) dynamically without manually managing thousands of individual Looker users, the recommended architectural pattern is the Signed Embed (SSO) Authentication flow, used purely as an Auth mechanism. You can refer to the documentation here: Signed embedding  |  Looker  |  Google Cloud Documentation.

@Tarunima Thanks for the reply!

Unfortunately, the link you provided ( Signed embedding  |  Looker  |  Google Cloud Documentation ) refers to iFrame embedding but won’t allow using an API endpoint like Run Inline Query.

What we would like to have as an ideal setup:

• An unique Looker Service Account user, which client_id and client_secret are known to another service
• A way that the service can run API calls to query Looker data (using Run Inline Query) for instance, but providing specific User Attributes that identify the tenant expected for the service.

Currently, we are forced to create Embed Users for each tenant in our service and authenticate as this Embed User to perform such API call, which is not ideal.

Having a way to acquire a short-lived token, with a session tied to the Looker Service Account but having specific User Attributes and the permission to call Run Inline Query would be awesome.

Looking forward to hearing back from you!

@NicoG07 : Thanks for explaining this use case in detail. I now understand the nuance and would request you to share a FR for this requirement. This will help us prioritize the request for future Looker releases !

@Tarunima here it is !