Authorize an account for transfer of ownership

To use the Gmail transfer of ownership features, you need to set up a Google Cloud project and service account. The API endpoints needed to add a delegate or forward emails are only available to service accounts that have been given domain-wide authority.

Before you begin

You must have admin access to a Google Workspace domain and Google Cloud Platform.

Google Cloud project tasks

Complete these Google Cloud project tasks through the Google Cloud Platform interface: https://console.cloud.google.com.

Create a project

If you already have a Google Cloud project, you can skip to the next task.

  1. Click the Quickstart dropdown list at the top of the navigation bar that displays the currently selected project.

  2. From the dropdown list, select an organization and click NEW PROJECT.

  3. Enter a project name in the Project name field, and click CREATE.

  4. From the Quickstart dropdown list at the top of the navigation bar, select the new project.

  5. In the Project info panel on the project dashboard, click ADD PEOPLE TO THIS PROJECT.

  6. Add the Google Workspace service account that you used to authorize the Gmail connection as a New Principal with the Viewer role.

Enable the Gmail API for the project

  1. In the left navigation pane, go to APIs & ServicesLibrary.

  2. In the search field, type Gmail.

  3. Click Gmail API then Enable on the Gmail API page.

Create a service account

  1. In the left navigation pane, go to IAM & AdminService Accounts.

  2. At the top of the Service accounts page, click CREATE SERVICE ACCOUNT.

  3. Add a service account name and an optional description in the Service account details section, and then click DONE.

  4. Select the service account in the list to edit it.

  5. Go to the PERMISSIONS tab and click GRANT ACCESS.

  6. Add the Google Workspace account that you used to authorize the Gmail connection as a New Principal.

  7. Add the following roles to this account:

    • Service Account User

    • Service Account Token Creator

    Click Save to confirm the changes.

  8. Go to the DETAILS tab and record the Unique ID. This is the same as the OAuth 2.0 Client ID seen on the list of service accounts.

For full details on service accounts in Google Cloud, see Manage access to service accounts.

Google Admin tasks

Complete these admin tasks through the Google Admin Console: https://admin.google.com.

Set up domain-wide delegation of authority

The API endpoints needed to add a delegate or forward a user's emails require a Google Cloud service account with domain-wide authority.

By enabling domain-wide authority for a service account, you allow that account to access a user's data without any manual authorization on their part.

  1. In the left navigation pane, go to SecurityAccess data and controlAPI controls.

  2. Click MANAGE DOMAIN WIDE DELEGATION.

  3. Click Add new to add the API client.

  4. Enter the Client ID for the service account that you copied in the previous task into the Client Name field.

Register and add scopes to the service account

  1. Add the required scopes for adding a delegate or forwarding emails:

    • https://www.googleapis.com/auth/gmail.settings.basic

    • https://www.googleapis.com/auth/gmail.settings.sharing

  2. Click Authorize, then click Save.

The service account can now access users' data in the Google Workspace domain.

Test ownership transfer in Okta Workflows

  1. In the Workflows Console, create a flow and add one of the action cards that depend on the Google Cloud project and the service account.

  2. The Options for the card include dropdown lists for the Google Cloud Platform Project and the Service Account. These should be populated with the project and the service account you created in these tasks.

  3. Configure the card as needed and verify that it successfully executes.

Related topics

Gmail connector

Workflow elements

Gmail API documentation