This guide walks you through setting up a Google Workspace identity integration. This entails creating a service account, configuring domain wide delegation for the service account, and downloading the credentials for the service account to access necessary fields to authenticate with the Google Workspace API. ## Before You Begin You need to already have access to the [Google Workspace Admin Console](https://admin.google.com) and you must have a Google Workspace account (not necessarily the same one that you log in to the admin colse with) set up that you will use with domain-wide delegation. This account should have the following permissions: * Manage customer > Read customer * Manage customer > Read customer > Read customer branding settings * Manage customer > Read customer > Read customer contact info * Manage customer > Read customer > Read customer onboard settings * Manage customer > Read customer > Read customer profile settings * Manage customer > Read customer > Read customer support settings * Manage customer > Read customer > Read customer timezone settings * Groups * Groups > Create * Groups > Delete * Groups > Read * Groups > Update * Organization Units > Read * Users > Create * Users > Delete * Users > Read * Users > Update * Users > Update > Add/Remove Aliases * Users > Update > Force Password Change * Users > Update > Move Users * Users > Update > Rename Users * Users > Update > Reset Password * Users > Update > Suspend Users You will also need to have access to the [Google Cloud Console](https://console.cloud.google.com). ## 1. Create a Service Account Follow [this guide](https://support.google.com/a/answer/7378726) to create a new service account. If you don't already have a Google Cloud Console project, you will need to create one; instructions are included in the linked guide. The Cloud Console project will need to have access to the Admin SDK API. If you are using an existing project and need to enable access to the Admin SDK API, you can use [this page](https://developers.google.com/workspace/guides/enable-apis) to do so. ## 2. Set up Domain Wide Delegation You can use [this guide](https://support.google.com/a/answer/162106) to learn how to set up domain wide delegation. When prompted for the OAuth scopes to enable for the delegation, use the following: `https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly`. ## 3. Download the Service Account Credentials In the Google Cloud Console, navigate to IAM & Admin > Service Accounts, then select the service account you created in step 1. Open the "Keys" tab, and select "Add Key" > "Create new key" > JSON. This will create the key and download it automatically. **Protect this key file, as it allows access to your Google Workspace account via delegation**. ## 4. Extract the Service Account Credentials Make a note of the following fields from the downloaded key file: `client_id`, `private_key`, `token_uri`, and `client_email`. Consider the following example key file: ```json { "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "client_email": "EXAMPLE@EXAMPLE.iam.gserviceaccount.com", "client_id": "1234567890", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/EXAMPLEt%40EXAMPLE.iam.gserviceaccount.com", "private_key": "-----BEGIN PRIVATE KEY-----\nKEY MATERIAL HERE-----END PRIVATE KEY-----\n", "private_key_id": "1234567890", "project_id": "example-project-id", "token_uri": "https://oauth2.googleapis.com/token", "type": "service_account", "universe_domain": "googleapis.com" } ``` In this example... * `client_id` is `1234567890` * `private_key` is `-----BEGIN PRIVATE KEY-----\nKEY MATERIAL HERE-----END PRIVATE KEY-----\n` * `token_uri` is `https://oauth2.googleapis.com/token` * `client_email` is `EXAMPLE@EXAMPLE.iam.gserviceaccount.com` ## 5. Configure the Integration Create your integration by supplying all of the required and any desired optional values. **client_email** This is the `client_email` value gathered in step 4. **client_id** This is the `client_id` value gathered in step 4. **client_secret** This is the `private_key` value gathered in step 4. **token_url (Optional)** This is the `token_uri` value gathered in step 4. **delegate** This is the email address of the user you are delegating access to.