Create a Service Account

A Service Account is a special type of account used by the application or workflow. These use API calls to attach modules of the application to your workspace. For example, we can use a Service Account to attach the Report module for reporting.

Google Cloud Platform – New Project

  1. Log in to Google Cloud Platform as a Super Admin
  2. Create a new project in GCP

Google Cloud Platform – Enable APIs

Make sure to switch to your new project

  1. Enable APIs via APIs & Services -> Libraries
    • Admin SDK API – Required for historical storage data.
    • Google Drive API – Required for parsing user’s drive.
    • Gmail API – Required for sending emails as delegate user.

Google Cloud Platform – Create Credentials -> Service Account

  1. Create Credentials -> Service Account via APIs & Services -> Credentials
    • Click Create Credentials
    • Then, select Service account
    • Enter a Service account name
      • You do not need to do any of the additional options.
    • Click Done
  2. Create an access key for the service to use
    • Select the Service Account and use the Action options on the right side
    • Choose Manage Key Access from the drop-down menu
    • Click Add Key and Create New
    • Choose the JSON file option
    • Now you can choose to download the key and store the file somewhere secure.
    • Once secure, open the file and locate the “private_key” value. Copy the entire Private Key block including everything between the start and end quotes “ ”.
      • The private key begins with —–BEGIN PRIVATE KEY—–
      • The private key ends with \n—–END PRIVATE KEY—–\n
    • Admin+ will need the Private Key and Client Email from the file.
  3. Once the key is created, click on the details tab for more details on your service account.
    • Click Show Advanced Settings
    • Select View Google Workspace Admin Console

Google Workspace – Wrapping Up

7. Give the service account API access via Security -> API Controls -> MANAGE DOMAIN WIDE DELEGATION

  • Add new
  • Paste the Client ID from Step 6
  • Add the following scopes:

i. https://www.googleapis.com/auth/admin.directory.user.readonly

ii. https://www.googleapis.com/auth/admin.reports.usage.readonly

iii. https://www.googleapis.com/auth/drive

iv. https://www.googleapis.com/auth/gmail.send

v. https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly

vi. https://www.googleapis.com/auth/admin.reports.audit.readonly

vii. https://www.googleapis.com/auth/admin.datatransfer

viii. https://www.googleapis.com/auth/devstorage.read_write

Copy/Paste:

https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.datatransfer,https://www.googleapis.com/auth/devstorage.read_write

  • A User with a minimal role of User Management Admin will be needed for caching. This account can be an actual user in your organization or a sudo account.

*** STOP ***

Historical data will not work without adding the reports privilege to this role. The easiest solution is to copy the User Management Role into a new Role and check “Reports”.

  • Additional Privileges Required:
    • Drives and Docs: Settings (Shared Drives)
    • Reports (Historical)
    • ChromeOS: Settings (Manage Devices)
  • This account will show up your activity logs as the account that is performing certain application-specific actions such as moving files to the trash bin.
  • This account will be the account that Admin+ sends emails originating from and the email address will appear in the “From” field of the email.

Updated June 9, 2023

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us