This guide explains how to set up and use a service account based connection to access the Google Workspace Administration actions in zenphi.

Step 1: Create a service account in Google Cloud Console

Create a service account that zenphi will use to access execute the admin actions.

Create a service account:

To create a service account, follow these steps:

Open the Google Cloud console.
At the top-left, click Menu menu > IAM & Admin > Service Accounts.
Click Create service account.
Fill in the service account details, then click Create and continue.

Note: By default, Google creates a unique service account ID. If you would like to change the ID, modify the ID in the service account ID field.

Optional: Assign roles to your service account to grant access to your Google Cloud project's resources. For more details, refer to Granting, changing, and revoking access to resources.
Click Continue.
Optional: Enter users or groups that can manage and perform actions with this service account. For more details, refer to Managing service account impersonation.
Click Done.

The service account appears on the service account page. Next, create a private key for the service account.

Create a private key

To create a private key for the service account, follow these steps:

Open the Google Cloud console.
At the top-left, click Menu > IAM & Admin > Service Accounts.
Select your service account.
Click Keys > Add keys > Create new key.
Select JSON, then click Create.

Your new public/private key pair is generated and downloaded to your machine as a new file. This file is the only copy of this key. For information about how to store your key securely, see Managing service account keys.

Click Close.

For more information about service accounts, see service accounts in the Google Cloud IAM documentation.

Step 2: Create a Google Workspace Administration connection in zenphi

Go to zenphi connections and click on the + New button to create a new connection. In the list look for the Create a Google Workspace Administration connection.

Click on "Connect".

Click on the "Browse file" button and select the JSON key that you downloaded in the above step and create the connection.

Step 3: Set up domain-wide delegation for a service account

To call APIs on behalf of users in a Google Workspace organization, your service account needs to be granted domain-wide delegation of authority in the Google Workspace Admin console by a super administrator account. For more information, see Delegating domain-wide authority to a service account.

To set up domain-wide delegation of authority for a service account:

Open the Google Cloud console.
At the top-left, click Menu > IAM & Admin > Service Accounts.
Select your service account.
Click Show advanced settings.
Under "Domain-wide delegation," find your service account's "Client ID." Click Copy

to copy the client ID value to your clipboard.

Click View Google Workspace Admin Console, then sign in using a super administrator user account.

Note: If you don't have super administrator access to the relevant Google Workspace account, contact a super administrator for that account and send them your service account's Client ID and list of OAuth Scopes so they can complete the steps below in the Admin console.

In the Admin console, at the top-left, click Menu menu > Security > Access and data control > API controls.
Click Manage Domain Wide Delegation.
Click Add new.
In the "Client ID" field, paste the client ID you copied in step 5.
In the "OAuth Scopes" field, enter a comma-delimited list of the following scopes required by zenphi.

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/gmail.labels
https://www.googleapis.com/auth/calendar

Click Authorize.