Skip to main content

Google: Service Account

Using service accounts is more complex than OAuth2. Before you begin:

Prerequisites

Set up Service Account

There are four steps to connecting your Otera credential to a Google Service Account:

  1. Create a Google Cloud Console project.
  2. Enable APIs.
  3. Set up Google Cloud Service Account.
  4. Finish your Otera credential.

Create a Google Cloud Console project

First, create a Google Cloud Console project. If you already have a project, jump to the next section:

Enable APIs

With your project created, enable the APIs you'll need access to:

Set up Google Cloud Service Account

  1. Access your Google Cloud Console - Library. Make sure you're in the correct project.

    The project dropdown in the Google Cloud top navigation

    Check the project dropdown in the Google Cloud top navigation

  2. Select the hamburger menu > APIs & Services > Credentials. Google takes you to your Credentials page.

  3. Select + CREATE CREDENTIALS > Service account.

  4. Enter a name in Service account name and an ID in Service account ID. Refer to Creating a service account for more information.

  5. Select CREATE AND CONTINUE.

  6. Based on your use-case, you may want to Select a role and Grant users access to this service account using the corresponding sections.

  7. Select DONE.

  8. Select your newly created service account under the Service Accounts section. Open the KEYS tab.

  9. Select ADD KEY > Create new key.

  10. In the modal that appears, select JSON, then select CREATE. Google saves the file to your computer.

Finish your Otera credential

With the Google project and credentials fully configured, finish the Otera credential:

  1. Open the downloaded JSON file.

  2. Copy the client_email and enter it in your Otera credential as the Service Account Email.

  3. Copy the private_key. Don't include the surrounding " marks. Enter this as the Private Key in your Otera credential.

  4. Optional: Choose if you want to Impersonate a User (turned on).

    1. To use this option, you must Enable domain-wide delegation for the service account as a Google Workspace super admin.
    2. Enter the Email of the user you want to impersonate.

  5. If you plan to use this credential with the HTTP Request node, turn on Set up for use in HTTP Request node.

    1. With this setting turned on, you'll need to add Scope(s) for the node. Otera prepopulates some scopes. Refer to OAuth 2.0 Scopes for Google APIs for more information.

  6. Save your credentials.

Video

The following video demonstrates the steps described above.

Troubleshooting

Service Account can't access Google Drive files

A Service Account can't access Google Drive files and folders that weren't shared with its associated user email.

  1. Access your Google Cloud Console and copy your Service Account email.
  2. Access your Google Drive and go to the designated file or folder.
  3. Right-click on the file or folder and select Share.
  4. Paste your Service Account email into Add People and groups.
  5. Select Editor for read-write access or Viewer for read-only access.

Enable domain-wide delegation

To impersonate a user with a service account, you must enable domain-wide delegation for the service account.

Not recommended

Google recommends you avoid using domain-wide delegation, as it allows impersonation of any user (including super admins) and can pose a security risk.

To delegate domain-wide authority to a service account, you must be a super administrator for the Google Workspace domain. Then:

  1. From your Google Workspace domain's Admin console, select the hamburger menu, then select Security > Access and data control > API Controls.
  2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
  3. Select Add new.
  4. In the Client ID field, enter the service account's Client ID. To get the Client ID:
    • Open your Google Cloud Console project, then open the Service Accounts page.
    • Copy the OAuth 2 Client ID and use this as the Client ID for the Domain Wide Delegation.
  5. In the OAuth scopes field, enter a list of comma-separate scopes to grant your application access. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
  6. Select Authorize.

It can take from 5 minutes up to 24 hours before you can impersonate all users in your Workspace.