Skip to main content

Prepare Google Workspace connector

The Google Workspace connector retrieves information about subscriptions, users, and user activity. In Google Cloud Platform, you are required to create a service account for your project, generate a key file, and set up API access. In Google Workspace Admin console, you are required to locate your Customer ID and enter it, together with the key file content and an admin account email, in Settings when adding the connector.

Prerequisites

The email address of an admin account, new or existing, is needed for the connector settings in Step 3. This email is used by the service account to impersonate the admin user while accessing the API. The admin account must have at least the following administrative permissions enabled:

  • Admin console privileges:

    • Domain Settings

    • Reports

  • Admin API privileges:

    • Users Read

    • License Read

    • Billing Read

    • Domain Management

Procedure

  1. In Google Cloud Platform:

    1. Go to the service accounts page: https://console.developers.google.com/iam-admin/serviceaccounts

    2. Select a project or create a new one.

    3. Create a service account for the project and grant it the Viewer role.

    4. For the service account, create a key in JSON format. The content of this file is used when adding the connector.

      The new public/private key pair is generated and downloaded to your device; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you must generate a new one.

    5. Copy the Unique ID for your service account. It is used to enable access for the service account to data in a Google Workspace domain.

    6. Set up API access to the project in which you created a service account.

      From the API library, find and enable:

      • Admin SDK API

      • Enterprise License Manager API

  2. In the Google Workspace Admin console:

    1. Sign in to the Google Workspace Admin console: https://admin.google.com/

    2. Go to the API controls page and enable domain wide delegation for the previously created service account:

      1. In Client ID, enter the Unique ID for your service account, copied in Step 1.v.

      2. In OAuth scopes (comma-delimited), enter this list of scopes that your application should be granted access to:

        • https://www.googleapis.com/auth/admin.directory.user.readonly

        • https://www.googleapis.com/auth/admin.reports.usage.readonly

        • https://www.googleapis.com/auth/admin.directory.domain.readonly

        • https://www.googleapis.com/auth/apps.licensing

        • https://www.googleapis.com/auth/admin.directory.customer.readonly

    3. On the Account Settings page, copy and save the Customer ID. It is used when adding the connector.

  3. When adding the connector in Snow Atlas, in Settings, enter the values according to the table.

    SettingValue from Google
    Customer IDYour account Customer ID from Google account settings.
    Service account keyThe content of the service account key file downloaded to your device.
    It has the file extension .json.
    Admin emailThe email of an admin account that will be used by the service account to impersonate the admin user while accessing the API.

After completing this task, follow the general procedure to Add connectors.

The connector makes API calls to the vendor and retrieves data. For more information, see SDK calls and Data retrieved by the connector.

Flexera does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.