Skip to main content

Prepare Google Workspace connectors

The Google Workspace connector connector retrieves information about subscriptions, users, and user activity.

In Google Cloud Platform, you are required to create a service account for your project, generate a key file, and set up API access. In Google Workspace Admin console, you are required to locate your Customer ID and enter it, together with the key file content and an admin account email, in Settings when adding the connector.

Prerequisites

The email address of an admin account, new or existing, is needed for the connector settings in Step 3. This email is used by the service account to impersonate the admin user while accessing the API. The admin account must have at least the following administrative permissions enabled:

  • Admin console privileges:

    • Domain Settings

    • Reports

  • Admin API privileges:

    • Users Read

    • License Read

    • Billing Read

    • Domain Management

Procedure

  1. In Google Cloud Platform:

    1. Go to the service accounts page: https://console.developers.google.com/iam-admin/serviceaccounts

    2. Select a project or create a new one.

    3. Create a service account for the project, and grant it at least the role Viewer.

    4. For the service account, create a key in JSON format. The content of this file is used when adding the connector.

      The new public/private key pair is generated and downloaded to your device; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you must generate a new one.

    5. Copy the Unique ID for your service account. It is used to enable access for the service account to data in a Google Workspace domain.

    6. Set up API access to the project in which you created a service account.

      From the API library, find and enable:

      • Admin SDK API

      • Enterprise License Manager API

  2. In the Google Workspace Admin console:

    1. Sign in to the Google Workspace Admin console: https://admin.google.com/

    2. Go to the API controls page and enable domain wide delegation for the previously created service account:

      1. In Client ID, enter the Unique ID for your service account, copied in Step 1.e.

      2. In OAuth scopes (comma-delimited), enter this list of scopes that your application should be granted access to:

        • https://www.googleapis.com/auth/admin.directory.user.readonly

        • https://www.googleapis.com/auth/admin.reports.usage.readonly

        • https://www.googleapis.com/auth/admin.directory.domain.readonly

        • https://www.googleapis.com/auth/apps.licensing

        • https://www.googleapis.com/auth/admin.directory.customer.readonly

    3. On the Account Settings page, copy and save the Customer ID. It is used when adding the connector.

  3. When adding the connector, in Settings, enter the values according to the table.

    Setting

    Value from Google

    Customer ID

    Your account Customer ID from Google account settings.

    Service account key

    The content of the service account key file downloaded to your device.

    It has the file extension .json.

    Admin email

    The email of an admin account that will be used by the service account to impersonate the admin user while accessing the API.

After completing this task, follow the general procedure to Add connectors.

The connector makes SDK calls to the vendor to retrieve data.

In this section: