Google Workspace integration

Integrate Identity Security Posture Management (ISPM) with your Google Workspace.

  1. Create a project
  2. Create a service account
  3. Add roles to the service account
  4. Create keys for the service account
  5. Enable API access
  6. Configure domain-wide delegation for the service account
  7. Share the parameters with ISPM

Before you begin

Ensure that you have the Google Workspace super admin privilege.

Create a project

  1. Sign in to your Google Cloud Console as a super admin and click to open the Navigation menu.

  2. Go to IAM & AdminManage Resources.

    Go to Navigation menu > IAM & Admin >Manage Resources

  3. Click + Create Project.

  4. Enter the required information for Project name, Organization, and Location.

  5. Click Create.

Create a service account

  1. Open the Navigation menu and go to IAM & Admin Service Accounts.

  2. From the projects list at the top of the page, select the project that you created earlier.

    Your project

  3. Click Create service account.

  4. In the Service account details section, enter the following:

    1. Service account name: Enter a name. Copy and store the name of the account. You'll need it later.

    2. Service account ID: You can keep the auto-generated service account ID or change it.

    3. Service account description: Enter a brief description for the account.

  5. Click Create and continue.

  6. In the Grant this service account access to project section, click Continue. Don't add any roles.

  7. Optional. In the Grant users access to this service account (Optional) section, add users who own or can access this service account.

  8. Click Done.

Add roles to the service account

  1. Add Service Usage Viewer role:

    1. Select the project that you created.

    2. Open the Navigation menu, and go to IAM & Admin IAM.

    3. Click Grant Access.

    4. Under New Principals, enter the service account address that you created.

    5. Under Select a role, search and choose Service Usage Viewer.

    6. Click Save.

  2. Add Organization Role Viewer role:

    1. Select your main organization.

    2. Open the Navigation menu, and go to IAM & Admin IAM

    3. Click Grant Access.

    4. Under New Principals, enter the service account address that you created.

    5. Under Select a role, search and choose Organization Role Viewer.

    6. Click Save.

Create keys for the service account

  1. Open the Navigation menu and go to IAM & AdminService Accounts.
  2. For your new service account, open the menu under the Actions column.
  3. Select Manage keys.
  4. On the Keys page, click Add key.
  5. Select Create new key.
  6. Select JSON as the key type.
  7. Click Create. This downloads a JSON file to your computer. This JSON contains credentials that allow the service account to access Google Workspace. Keep this file for later.
  8. Click Close.

Enable API access

  1. Open the Navigation menu and go to APIs & Services Enabled APIs & services.
  2. On the Enabled APIs & services page, enable Admin SDK API, Service Usage API, Cloud Identity AP, and Cloud Resource Manager API using the following steps (if they aren't enabled already):

    1. Click Enable APIs and services.

    2. Search for and select an API using the search bar. For the Cloud Identity API, search for Cloud Identity.

    3. Select the tile corresponding to the API.

    4. Select the specific API.

    5. Click Enable.

Configure domain-wide delegation for the service account

  1. Sign in to your Google Workspace Admin Console and open the Navigation menu.
  2. Go to Security Access and data control API controls.
  3. Under the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION.
  4. Click Add new.
  5. In the Client ID field enter the client_id value. You can find this value in the credentials JSON file that you saved while creating the service account.

  6. In the OAuth Scopes field, enter the following scopes as comma-separated values.

    Copy 
    \https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/cloud-identity.inboundsso.readonly,https://www.googleapis.com/auth/cloud-identity.policies.readonly
  7. Click Authorize.

Share the parameters with ISPM

  1. In the Identity Security Posture Management console, go to SettingsSources gallery.

  2. Select Google Workspace.
  3. Enter the following parameters:
    • Source name: Enter a name for this connector.
    • Super admin email address: Email address of any user who has the super admin privilege for Google Workspace in the org.
    • Credentials JSON: Upload the file that you created in the Create a service account section.
  4. Click Submit.

Related topic

Google Cloud Platform integration