Comment on page

Creating and authorizing a Google Workspace service account

Step 1. Create a new user in your Google Workspace instance, and make this user an administrator. This will be the account the FIM service uses to administrator the Google Workspace instance.
Step 2. Using that account, login to the Google Developers Console
Step 3. Create a new API project
Step 4. Give the API project an appropriate name
Step 5. When the project has been created, go to the APIs & Services page, and select Credentials. Create a new set of credentials of the service account key type
Step 6. Select the option to create a new service account, providing a service account name and ID, and assigning the 'service account user' role. Ensure that 'p12' is selected as the key type
Step 7. Save the resulting p12 file, noting the secret provided. This will be used by the management agent to authenticate to the Google APIs later
Step 8. Once the service account has been created, select the option to manage service accounts
Step 9. Click on the same of the service account to edit it
Step 10. Select the option to edit the service account, enable domain-wide delegation on the account, and provide a product name (this is not seen by end users)
Step 11. Return to the service accounts list, and from the list of service accounts, select the option to 'view client ID'
Step 12. Record the client ID provided, as well as the service account email address. These will be needed later in the configuration process.
Step 13. Click on 'library' on the API manager page, and search for the Admin SDK, Gmail, Group Settings, Google Calendar and Classroom APIs and enable them for use in your project
Step 14. Log into the google admin console. Select the security option
Step 15. Expand to the advance settings section, and select Manage API client access
Step 16. Add a new client by providing the client ID obtained in step 12, and the following string for the API scopes. You can either add all scopes, or choose only the [[specific scopes you need|Required-permissions-and-scopes]] based on the object types you want to manage.,,,,,,,,,,,,


It can take up to 24 hours for domain-wide delegation to take effect. Although in most cases, it takes 5-10 minutes. During this time you may receive an error when trying to create the MA, with an event log message that contains the text Client is unauthorized to retrieve access tokens using this method