Toggle Nav
My Cart 0
  • Sign in/Register
Menu
Account
Settings

Create a Service Account

957

A Service Account is a special account used by the application or workflow. These use API calls to attach application modules to your workspace. For example, we can use a Service Account to attach the Report module for reporting.


Google Cloud Platform – New Project

  1. Log in to Google Cloud Platform as a Super Admin
  2. Create a new project in GCP


Google Cloud Platform – Enable APIs

Make sure to switch to your new project

  1. Enable APIs via APIs & Services → Libraries
    • Admin SDK API – Required for historical storage data.
    • Google Drive API – Required for parsing the user's drive.
    • Gmail API – Required for sending emails as a delegate user.


Google Cloud Platform – Create Credentials → Service Account

  1. Create Credentials → Service Account via APIs & Services → Credentials
    • Click Create Credentials
    • Then, select a Service account
    • Enter a Service account name
      • You do not need to do any of the additional options.
    • Click Done
  2. Create an access key for the service to use
    • Select the Service Account and use the Action options on the right side
    • Choose Manage Key Access from the drop-down menu
    • Click Add Key and Create New
    • Choose the JSON file option
    • Now you can choose to download the key and store the file somewhere secure.
    • Once secure, open the file and locate the "private_key" value. Copy the entire Private Key block, including everything between the start and end quotes " "
      • The private key begins with —–BEGIN PRIVATE KEY—–
      • The private key ends with \n—–END PRIVATE KEY—–\n
    • Admin+ will need the Private Key and Client Email from the file.
  3. Once the key is created, click on the details tab for more details on your service account.
    • Click Show Advanced Settings
    • Select View Google Workspace Admin Console


Google Workspace – Wrapping Up

Give the service account API access via Security → API Controls → MANAGE DOMAIN WIDE DELEGATION

  • Add new
  • Paste the Client ID from Step 6
  • Add the following scopes:
    i. https://www.googleapis.com/auth/admin.directory.user.readonly
    ii. https://www.googleapis.com/auth/admin.reports.usage.readonly
    iii. https://www.googleapis.com/auth/drive
    iv. https://www.googleapis.com/auth/gmail.send
    v. https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
    vi. https://www.googleapis.com/auth/admin.reports.audit.readonly
    vii. https://www.googleapis.com/auth/admin.datatransfer
    viii. https://www.googleapis.com/auth/devstorage.read_write

Copy/Paste:

https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.reports.usage.readonly https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/gmail.send https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly https://www.googleapis.com/auth/admin.reports.audit.readonly https://www.googleapis.com/auth/admin.datatransfer https://www.googleapis.com/auth/devstorage.read_write

  • A User with a minimal role as a User Management Admin will be needed for caching. This account can be an actual user in your organization or a sudo account.

*** STOP ***

Historical data will not work without adding the reports privilege to this role. The easiest solution is to copy the User Management Role into a new Role and check "Reports".

  • Additional Privileges Required:
    • Drives and Docs: Settings (Shared Drives)
    • Reports (Historical)
    • ChromeOS: Settings (Manage Devices)
  • This account will show up in your activity logs as the account that is performing certain application-specific actions, such as moving files to the trash bin.
  • This account will be the one from which Admin+ sends emails originating, and the email address will appear in the "From" field of the email.

 


Do you still need help? Contact Us

Categories: Workflow
Was this article helpful? 957 out 1758 found this helpful
Categories