Google Workplace

introduction this guide tells you how to authenticate the google workspace connector in swimlane you will create a google cloud project, enable required apis, configure a service account, optionally enable domain wide delegation, and configure the connector in swimlane this connector supports google authentication using one of the following service account json credentials (base64 encoded) oauth 2 0 client id, client secret, and refresh token prerequisites google access requirements you must have permissions to create and manage projects in google cloud platform enable apis in google cloud console create service accounts and download json key files manage domain wide delegation in google admin console (recommended) create oauth 2 0 client credentials (optional) required credentials during setup, you will collect service account json key file (base64 encoded) or oauth 2 0 client id and client secret delegate account email address (recommended) customer id or my customer alias (optional) oauth scopes for domain wide delegation (recommended) refresh token (if using oauth 2 0 client credentials) gcp project creation take the following steps to create a google cloud project log in to google cloud console at https //console cloud google com/ navigate to https //console cloud google com/projectcreate name project and click create navigate to projects and select new project enabling individual apis after creating project , enable required apis for the connector navigate to apis & services dashboard and enable following apis using explicit names if links become deprecated api url google drive https //console cloud google com/apis/library/drive googleapis com gmail https //console cloud google com/apis/library/gmail googleapis com google workspace alert center https //console cloud google com/apis/library/alertcenter googleapis com g suite vault https //console cloud google com/apis/library/vault googleapis com admin sdk api https //console cloud google com/apis/library/admin googleapis com google chat api https //console cloud google com/apis/library/chat googleapis com google sheets api https //console cloud google com/apis/library/sheets googleapis com after enabling apis, navigate back to apis & services dashboard and verify all apis are listed if any apis are missing, enable again configuring a service account google workspace connector requires a google service account to authenticate take the following steps to create a service account and download json key file open https //console developers google com/iam admin/serviceaccounts select the appropriate project click create service account assign name and description, then click create and continue select role owner , then click continue skip grant users access to this service account or add users , then click done click newly created service account email navigate to keys click add key and select create new key select json and click create download json file this file is required for swimlane asset creation navigate to details and copy unique id this value is required for domain wide delegation delegating domain wide authority (recommended) in order to support accessing multiple user's accounts, domain wide authority must be enabled before creating a service account choosing not to delegate domain wide authority will heavily limit the scope of what this connector can do if the connector will only operate against a single account, the setting api scopes section can be skipped setting api scopes after creating service account, authorize required api scopes using google admin console from https //admin google com , navigate to security > api controls click manage domain wide delegation click add new in client id field, enter unique id from service account details menu enter following csv value into oauth scopes (comma delimited) input https //mail google com/,https //www googleapis com/auth/admin directory device mobile,https //www googleapis com/auth/admin directory device mobile action,https //www googleapis com/auth/admin directory group,https //www googleapis com/auth/admin directory group member,https //www googleapis com/auth/admin directory orgunit,https //www googleapis com/auth/admin directory user,https //www googleapis com/auth/admin directory user security,https //www googleapis com/auth/admin directory user alias,https //www googleapis com/auth/admin directory userschema,https //www googleapis com/auth/apps alerts,https //www googleapis com/auth/devstorage read only,https //www googleapis com/auth/drive,https //www googleapis com/auth/ediscovery,https //www googleapis com/auth/chat bot,https //www googleapis com/auth/spreadsheets click authorize oauth 2 0 (optional) to configure oauth 2 0 for google workspace connector, follow these steps navigate to google cloud console select project in left sidebar, select apis & services > credentials click create credentials and select oauth client id select application type as web application enter name and click create copy client id and client secret add necessary scopes under scopes for google apis click save retrieve refresh token to retrieve refresh token, reach out to swimlane support for requirements txt and get refresh token py files python3 must be installed on local system run the following commands python3 m pip install r requiremments txt python3 get refresh token py script will prompt for client id and client secret prompt for additional scopes by default requested scopes are gmail send and gmail modify direct user to gmail authentication and approval in browser redirect the user to a blank page at https //localhost copy full url for https //localhost address and provide it to script to receive refresh token swimlane asset setup credentials contents of json credentials key file downloaded when creating service account must be base64 encoded when creating swimlane google workspace asset copy base64 encoded string and paste into service account json field for linux and mac $ cat \<path to credentials json> | base64 for windows using powershell \[convert] tobase64string((get content path your file path encoding byte)) delegate account delegate account value determines which account to operate as when running actions delegate account value should be the email address for the target account in most cases an admin account of google workspace should be used do not use service account email customer id customer id is unique id for customer's google workspace account as account administrator, my customer alias can be used to represent customerid to find customer id, navigate to https //admin google com and go to account > account settings limitations when not using a delegated account using a service account without delegate account introduces limitations when interacting with user data service accounts may not be able to access user emails, contacts, or google drive files in the same way a regular user can connector configuration in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click plus icon to open configure your connector asset window select google workspace from asset type list fill in asset settings and asset input as shown field description required/optional credentials base64 encoded contents from service account json credentials file optional delegate account account to execute integrations under if not specified, integration will run as service account optional client id the client id for the oauth 2 0 application optional client secret the client secret for the oauth 2 0 application optional refresh token oauth 2 0 refresh token used to obtain new access tokens if using refresh token, provide client id and client secret optional fields with marks are required while adding an asset, provide either credentials or client id and client secret if both are provided, client id takes precedence click create troubleshooting if you encounter an authentication error verify required apis are enabled in google cloud project verify service account json key is valid and base64 encoding includes full file contents verify domain wide delegation is configured with correct unique id and required scopes verify delegate account is a valid admin user email address and not a service account email if using refresh token flow, verify client id, client secret, and refresh token match the same oauth client you have successfully authenticated the google workspace connector in swimlane