Set up Looker

Who can do this?

You probably need your Looker administrator to run these commands - you may not have access yourself.

Choose user permissions method

Atlan supports two options for user permissions in Looker. Choose one of these methods to set up Looker:

Admin role

This role is required for Atlan to automatically generate lineage across Looker objects. When using this role, the crawler can access all folders in Looker including personal folders.

To set up this role:

1. Log in to your Looker instance and confirm that you're an Admin user.
2. From the menu in the upper left, click the Admin item.
3. Under the Users section, click the Users item.
4. In the table, find the user you're logged in as. Click the Edit button to the right of your user's row.
5. Next to API3 Keys, click the Edit Keys button.
6. On the resulting Edit User API3 Keys page, click the New API3 Key button.
7. Save the generated credentials for crawling Looker.

Custom role

warning

When using this approach, Atlan won't automatically generate lineage across Looker objects. You need to individually grant access to each folder to be included in lineage.

Create role

To create a custom role for Atlan to access Looker:

1. Log in to your Looker instance.
2. From the menu in the upper left, click the Admin item.
3. Under the Users section, click the Roles item.
4. At the top of the page, click the New Permission Set button.
   1. Enter a name for the new permission set.
   2. For the permissions, select the following:
      • access_data grants access to the other permissions below.
      • see_lookml_dashboards lets Atlan crawl LookML dashboards.
      • see_looks lets Atlan crawl Looks.
      • see_user_dashboards lets Atlan crawl user-defined dashboards.
      • explore lets Atlan fetch from the Explore page.
      • see_sql lets Atlan fetch the SQL of a query or Look, to generate lineage.
      • see_lookml lets Atlan fetch model information from LookML.
      • develop lets Atlan fetch connection names from models, to generate lineage.
      • see_datagroups lets Atlan fetch all connection names, to generate lineage.
   3. At the bottom of the permissions list, click the New Permission Set button.
5. Back on the Roles page, at the top click the New Role button.
   1. Enter a name for the new role.
   2. For Permission Set, select the permission set you created in the previous step.
   3. For Model Set, select the models that you want to give access to.
   4. At the bottom of the page click the New Role button.

Create user

To create a user through which Atlan can access Looker:

1. Open the Admin menu in Looker.
2. Under the Users section, click the Users item.
3. At the top of the page, click the Add Users button.
   1. For Email addresses enter the email address for the user.
   2. For Send setup emails uncheck the setting.
   3. For Roles check the box next to the role you created earlier.
4. At the bottom of the page, click the Add Users button.
5. On the resulting page, click the Done button.

Generate API key for user

To generate an API key for the user:

1. Open the Admin menu in Looker.
2. Under the Users section, click the Users item.
3. In the table, find the user created earlier. Click the Edit button to the right of that user's row.
4. (Optional) Consider entering a First Name and Last Name for the user to make it easier to recognize and find in the future.
5. Next to API3 Keys, click the Edit Keys button.
6. On the resulting Edit User API3 Keys page, click the New API3 Key button.
7. Save the generated credentials for crawling Looker.

Include folders for lineage

To include folders when using a custom role, give permission using the following steps:

1. From the Looker menu in the upper left, click the Admin item.
2. Under the Users section, click the Content Access item.
3. In the resulting page next to Folders select the folder and then click on the Manage Access... button.
4. In the blank box at the bottom of the table, select the user created earlier from the list.
   • To let Atlan crawl only dashboards, enable the View permission for this user.
   • To let Atlan crawl tiles and queries for dashboards, enable the Manage Access, Edit permission for this user.
5. To the right of the row for that user, click the Add button.
6. At the lower-right of the dialog, click the Save button.

warning

You need to repeat these steps for every folder you want Atlan to be able to access.

Configure lineage access

In addition to user permissions, you can set up access to your project files in GitHub to generate field-level and cross-project lineage from Looker, and to crawl Looker views and build upstream lineage for views and explores. Choose one of the following methods:

SSH

Who can do this?

Any user with access to the Looker project files in GitHub can set up this part. You need to share the generated private key with whoever sets up the Looker crawler in Atlan. If your organization uses single sign-on (SSO) on GitHub, you must first authorize the SSH key for use with SSO. Refer to Authorizing an SSH key for use with SAML single sign-on to complete the process.

To configure an SSH key for access to GitHub project files:

1. Create a new SSH key on your local computer. For example, run the following command and enter a passphrase when prompted (or leave blank for no passphrase):

   ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/atlan_looker_lineage

2. Copy the generated keys from your local computer. For example:

   • To copy the public key, run this command and copy the output:

     cat ~/.ssh/atlan_looker_lineage.pub

   • To copy the private key, run this command and copy the output:

     cat ~/.ssh/atlan_looker_lineage

3. In the upper-right corner of any GitHub page, click your profile photo, then click Settings.

4. Under the Access section of the left sidebar, click SSH and GPG keys.

5. In the upper-right, click the New SSH key button:

   1. For Title enter a descriptive label for the new key. For example, Atlan Lineage.
   2. For Key paste in the public key you copied earlier.
   3. At the bottom of the form, click the Add SSH key button.

6. If prompted, enter your GitHub password and click Confirm password.

HTTPS

As an alternative to SSH keys, you can use HTTPS token-based cloning to access your Looker project Git repositories. This method requires a Git username and an access token from your Git provider.

Release testing scope

HTTPS token-based cloning has been fully tested with GitLab. Other Git providers may work but haven't been verified.

To set up HTTPS token-based cloning:

1. Generate an access token from your Git provider with read access to the repositories containing your Looker project files. For example, in GitLab, create a group access token with the read_repository scope and the Reporter role.
2. Note the Git username for your token. If your Git provider doesn't require a specific username, use oauth2 as the default. For GitLab group access tokens, the username is automatically generated when the token is created.
3. Save the Git username and token for use when crawling Looker. Provide a fresh, valid token when configuring the workflow—the connector uses the token as-is for the duration of the crawl job and doesn't refresh or create a new one.