1. Help Center
  2. Cloud
  3. Managing Repository Credentials

Creating a Google Workspace Service Account & User Account

The Google Workspace Collector requires two identities defined in your Google Workspace:

Account Type Description
Google Service Account This is a service account that has permissions to connect to your Workspace via APIs. ActiveNav Cloud uses a key file to authenticate the Collector.
Google User Account

This account is used by the Service Account to perform scans on content. This account requires permission to read user information to locate Personal Drives as described the Administrator API Privileges section below. This account also needs access permissions to the target Shared Drives as described in the Shared Drive Access section below. ActiveNav Cloud identifies this account with its email address.

Google Service Account Requirements

There are four main steps to creating and configuring a service account to be used by the GWD Collector:

NOTE: The user account performing these actions requires the Super Administrator role. See Google's Guide to Creating a Service Account for further information.

  1. Create a Service Account
  2. Enable the Required APIs
  3. Configure the Service Account
  4. Create the Service Account Key

1. Create a Service Account

  1. Within your Google Cloud IAM & Admin, choose Service Accounts. (https://console.developers.google.com/iam-admin/serviceaccounts)
  2. Either create a new project or use an existing one.
    mceclip10 (1)
  3. Within your target project, choose "+ Create Service Account" from the ellipse menu.
    mceclip11
  4. Provide a Service account nameService account ID, and Service account description.
  5. The service account does not require access to the project.
  6. Additional users do not require access to the service account.

2. Enable the Required APIs

  1. In the Google Cloud APIs & Services console (https://console.cloud.google.com/apis/library), use the search bar to locate and then choose the Google Drive API.
    mceclip3 (12)
  2. Select the API, and enable it for the project.
    mceclip4 (10)
  3. Return to the API Library search and repeat for the Google Forms API.
    Google_Forms_API

  4. Return to the API Library search and repeat for the Admin SDK API.
    mceclip5 (9)

3. Configure the Service Account

Return to the Google Cloud IAM & Admin console and choose the Service Accounts page.

  1. Within your target project, choose your new service account.
  2. Expand the Advanced Settings section on the service account details page.
  3. In the Domain-wide Delegation, copy the Client ID for later use.
  4. Click on the "View Google Workspace Admin Console" button.
  5. Within the Google Admin Console, select Security > Access and data control > API controls from the hamburger menu.
  6. On the AOI controls page, choose the "Manage Domain Wide Delegation" link towards the bottom of the page. This will open a list of API clients.
  7. Use the "Add new" command to enter the Client ID (copied in step 3 above) and add these two OAuth scopes as separate entries:
    1. https://www.googleapis.com/auth/admin.directory.user.readonly
    2. https://www.googleapis.com/auth/drive.readonly
    3. https://www.googleapis.com/auth/forms.responses.readonly
      mceclip6 (1)

4. Create the Service Account Key

  1. From the Google Cloud IAM & Cloud console's Service Accounts page, choose your target project and new service account.
  2. On the KEYS tab, choose ADD KEY > Create new key.
    mceclip7
  3. Select JSON for the Key type.
    mceclip8 (1)
  4. The JSON key file will automatically download via your browser.

NOTE: This file is used when defining the ActiveNav Cloud credentials used by the GWD Collector.

Google User Account Requirements

There are two requirements on the Google Account used by the GWD Collector to access drives. First, creating and assigning Administrator API privileges for User Read. Second, the user account needs to have Viewer access to each of your target Shared Drives.

Administrator API Privileges

Although permission to use the User APIs is covered by a number of pre-defined Administrator Roles we recommend creating a custom role as the pre-defined roles are privileged far beyond what is required by the GWD Collector.

  1. From the Google Workspace Admin console (https://admin.google.com), in the hamburger menu, expand the Account section and choose the Admin roles option.
    mceclip12 (1)
  2. Click on Create new role at the top of the list of roles.
    mceclip13 (2)
  3. Add a Name and a Description for this custom role and click Continue.
    mceclip14
  4. Locate the Admin API privileges for User and select Read.
    mceclip15 (1)
  5. Save the new custom role by clicking the Create Role button.
    mceclip16
  6. Use the Assign Users button to apply your new custom role to the account used by the GWD Collector.
    mceclip18

NOTE: Privilege propagation can take some time to complete.

Shared Drive Access

For each of the target Shared Drives, you must grant the GWD Collector user account access to view the content.

  1. From the Google Workspace Admin console (https://admin.google.com/), in the left-hand menu, expand Apps > Google Workspace and select Drive and Docs.
    mceclip19
  2. Click on Manage Shared Drives.
    mceclip20
  3. Locate your target Shared Drive and click the Manage Members option.
    mceclip21
  4. Enter the GWD Collector user account with Viewer access level.
    mceclip23
  5. Optionally unselect the notify option.
  6. Click the Share (or Send) button.
    mceclip24

NOTE: Privilege propagation can take some time to complete.