Create a Service Account
A Service Account is a special type of account used by the application or workflow. These use API calls to attach modules of the application to your workspace. For example, we can use a Service Account to attach the Report module for reporting.
Google Cloud Platform – New Project
- Log in to Google Cloud Platform as a Super Admin
- Create a new project in GCP
Google Cloud Platform – Enable APIs
Make sure to switch to your new project
- Enable APIs via APIs & Services -> Libraries
- Admin SDK API – Required for historical storage data.
- Google Drive API – Required for parsing user’s drive.
- Gmail API – Required for sending emails as delegate user.
Google Cloud Platform – Create Credentials -> Service Account
- Create Credentials -> Service Account via APIs & Services -> Credentials
- Click Create Credentials
- Then, select Service account
- Enter a Service account name
- You do not need to do any of the additional options.
- Click Done
- Create an access key for the service to use
- Select the Service Account and use the Action options on the right side
- Choose Manage Key Access from the drop-down menu
- Click Add Key and Create New
- Choose the JSON file option
- Now you can choose to download the key and store the file somewhere secure.
- Once secure, open the file and locate the “private_key” value. Copy the entire Private Key block including everything between the start and end quotes “ ”.
- The private key begins with —–BEGIN PRIVATE KEY—–
- The private key ends with \n—–END PRIVATE KEY—–\n
- Admin+ will need the Private Key and Client Email from the file.
- Once the key is created, click on the details tab for more details on your service account.
- Click Show Advanced Settings
- Select View Google Workspace Admin Console
Google Workspace – Wrapping Up
7. Give the service account API access via Security -> API Controls -> MANAGE DOMAIN WIDE DELEGATION
- Add new
- Paste the Client ID from Step 6
- Add the following scopes:
i. https://www.googleapis.com/auth/admin.directory.user.readonly
ii. https://www.googleapis.com/auth/admin.reports.usage.readonly
iii. https://www.googleapis.com/auth/drive
iv. https://www.googleapis.com/auth/gmail.send
v. https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
vi. https://www.googleapis.com/auth/admin.reports.audit.readonly
vii. https://www.googleapis.com/auth/admin.datatransfer
viii. https://www.googleapis.com/auth/devstorage.read_write
Copy/Paste:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.datatransfer,https://www.googleapis.com/auth/devstorage.read_write
- A User with a minimal role of User Management Admin will be needed for caching. This account can be an actual user in your organization or a sudo account.
*** STOP ***
Historical data will not work without adding the reports privilege to this role. The easiest solution is to copy the User Management Role into a new Role and check “Reports”.
- Additional Privileges Required:
- Drives and Docs: Settings (Shared Drives)
- Reports (Historical)
- ChromeOS: Settings (Manage Devices)
- This account will show up your activity logs as the account that is performing certain application-specific actions such as moving files to the trash bin.
- This account will be the account that Admin+ sends emails originating from and the email address will appear in the “From” field of the email.
Updated June 9, 2023