Authorize an Account for Transfer of Ownership Features

To use Gmail transfer of ownership features, you need to set up a Google Cloud project and service account. The API endpoints that are needed to add a delegate or forward emails are only available to service accounts that have been given domain-wide authority.

In order to perform the steps in this topic, you must have admin access to a G Suite domain and Google Cloud Platform.

Create a Google Cloud Project

It is not necessary to create a new project to complete this procedure. If you already have a Google Cloud project, then go to step 5.

  1. Go to Google Cloud Platform: https://console.cloud.google.com.

  2. Click the Quickstart drop-down in the top navigation bar. The project dialog appears.

  3. From the drop-down, select an organization, then click NEW PROJECT.

  4. Add a project name to the Project name field, and click Create.

Enable the Gmail API for Google Cloud Project

  1. In the left navigation pane, select APIs & ServicesLibrary.

  2. In the search field, type Gmail. The search results will show Gmail API.

  3. Click Gmail API then Enable on the Gmail API page.

You have created a Google Cloud project and enabled the Gmail API for it.

Create a Service Account for the Google Cloud Project

  1. In the left navigation pane, select IAM & AdminService Accounts.

  2. At the top of the Service accounts page, click CREATE SERVICE ACCOUNT.

  3. Add a service account name and description (optional) in the Service account details section, then click CREATE.

  4. On the Service account permissions (optional) page, click Continue. This step will be completed later.

  5. On the Grant users access to this service page, click DONE. This step will also be completed later.

You have created a service account.

Set Up G Suite Domain-Wide Delegation of Authority

To use the endpoints to add a delegate or forward a user's emails, you need a Google Cloud service account with domain-wide authority. By enabling domain-wide authority for a service account, you allow the service account to programmatically access a user's data without any manual authorization on their part.

To set up domain-wide delegation of authority:

  1. Find the service account that you created in the previous task.

  2. Click on the name of the service account or Actions menu for that account name and select Edit.

  3. Click the SHOW DOMAIN-WIDE DELEGATION drop-down.

  4. In the header bar, click Edit.

  5. Select the Enable G Suite Domain-wide Delegation box.

  6. Add a name in the Product name for the consent screen field, and click Save.

You have set up G Suite domain-wide delegation for your project. The Client ID field is now populated with a value for the service account that will be associated with the G Suite account. Take note of that Client ID value.

Register and Add Scopes to the Service Account in G Suite Domain

  1. Go to https://admin.google.com

  2. If necessary, authenticate with your login credentials.

  3. Select Security.

  4. Select Advanced Settings.

  5. Click Manage API client access.

  6. In the Authorized API clients list, add the Client ID that was generated in the previous task in the Client Name field.

  7. In the One or More API Scopes field, add the required scopes. For adding a delegate or forwarding emails, the required scopes are:

  • https://www.googleapis.com/auth/gmail.settings.basic

  • https://www.googleapis.com/auth/gmail.settings.sharing

  1. Click Authorize, then click Save.

You have registered your service account with the G Suite domain and added the appropriate permissions (scopes) to the account. The service account can now access users' data in the G Suite domain.

Add users and assign roles in the Google Cloud project

Each user in your Google Cloud project needs permissions to use the Add Delegate, Forward Emails, or Set Auto Reply action card in the Workflows Gmail connector. Each user will need the role of Service Account User on the project level. This role will allow a user to load dynamic dropdown parameters in the action cards.

Each user will also need the role of Service Account Token Creator on the service account level. This role assigns the user permissions to generate short-lived credentials for the service account so that it can access user data in the G Suite domain.

To add user and assign the Service Account User role:

  1. Go to https://console.cloud.google.com

  2. Find your Google Cloud project and service account.

  3. From the left navigation pane, click IAM & Admin.

  4. Select IAM.

  5. Click ADD.

  6. In the New members field, add the user's email address.

  7. In the Select a role dropdown, select Service AccountsService Account User.

  8. Click Save.

To add user and assign the Service Account Token Creator role:

  1. From the left navigation pane, click IAM & Admin.

  2. Click Service Accounts.

  3. Click the checkbox for your service account, then click SHOW INFO PANEL.

  4. In the Permissions section, click ADD MEMBER.\

  5. In the New members field, add the user's email address.

  6. In the Select a role dropdown, select Service AccountsService Account Token Creator.

  7. Click Save.

You have added a user to your Google Project who can authenticate to the Workflows Gmail connector and use the Add Delegate, Forward Emails, and Set Auto Reply action cards.

Related topics

Gmail connector

Workflow elements

Gmail API documentation