Google: Service Account

Using service accounts is more complex than OAuth2. Before you begin:

• Check if your node is compatible with Service Account.
• Make sure you need to use Service Account. For most use cases, OAuth2 is a better option.
• Read the Google documentation on Creating and managing service accounts.

Prerequisites

• Create a Google Cloud account.

Set up Service Account

There are four steps to connecting your Easexpense credential to a Google Service Account:

1. Create a Google Cloud Console project.
2. Enable APIs.
3. Set up Google Cloud Service Account.
4. Finish your Easexpense credential.

Create a Google Cloud Console project

First, create a Google Cloud Console project. If you already have a project, jump to the next section:

1. Log in to your Google Cloud Console using your Google credentials.
2. In the top menu, select the project dropdown in the top navigation and select New project or go directly to the New Project page.
3. Enter a Project name and select the Location for your project.
4. Select Create.
5. Check the top navigation and make sure the project dropdown has your project selected. If not, select the project you just created.

Enable APIs

With your project created, enable the APIs you'll need access to:

1. Access your Google Cloud Console - Library. Make sure you're in the correct project.
2. Go to APIs & Services > Library.
3. Search for and select the API(s) you want to enable. For example, for the Gmail node, search for and enable the Gmail API.

4. Some integrations require other APIs or require you to request access:

   • Google Perspective: Request API Access.
   • Google Ads: Get a Developer Token.

   Google Drive API required

   The following integrations require the Google Drive API, as well as their own API:

   • Google Docs
   • Google Sheets
   • Google Slides

   Google Vertex AI API

   In addition to the Vertex AI API you will also need to enable the Cloud Resource Manager API.

5. Select ENABLE.

Set up Google Cloud Service Account

1. Access your Google Cloud Console - Library. Make sure you're in the correct project.
2. Select the hamburger menu > APIs & Services > Credentials. Google takes you to your Credentials page.
3. Select + CREATE CREDENTIALS > Service account.
4. Enter a name in Service account name and an ID in Service account ID. Refer to Creating a service account for more information.
5. Select CREATE AND CONTINUE.
6. Based on your use-case, you may want to Select a role and Grant users access to this service account using the corresponding sections.
7. Select DONE.
8. Select your newly created service account under the Service Accounts section. Open the KEYS tab.
9. Select ADD KEY > Create new key.
10. In the modal that appears, select JSON, then select CREATE. Google saves the file to your computer.

Finish your Easexpense credential

With the Google project and credentials fully configured, finish the Easexpense credential:

1. Open the downloaded JSON file.
2. Copy the client_email and enter it in your Easexpense credential as the Service Account Email.
3. Copy the private_key. Don't include the surrounding " marks. Enter this as the Private Key in your Easexpense credential.
4. Save your credentials.

Video

The following video demonstrates the steps described above.

Troubleshooting

Service Account can't access Google Drive files

A Service Account can't access Google Drive files and folders that weren't shared with its associated user email.

1. Access your Google Cloud Console and copy your Service Account email.
2. Access your Google Drive and go to the designated file or folder.
3. Right-click on the file or folder and select Share.
4. Paste your Service Account email into Add People and groups.
5. Select Editor for read-write access or Viewer for read-only access.

Enable domain-wide delegation

To impersonate a user with a service account, you must enable domain-wide delegation for the service account.

Not recommended

Google recommends you avoid using domain-wide delegation, as it allows impersonation of any user (including super admins) and can pose a security risk.

To delegate domain-wide authority to a service account, you must be a super administrator for the Google Workspace domain. Then:

1. From your Google Workspace domain's Admin console, select the hamburger menu, then select Security > Access and data control > API Controls.
2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
3. Select Add new.
4. In the Client ID field, enter the service account's Client ID. To get the Client ID:
   • Open your Google Cloud Console project, then open the Service Accounts page.
   • Copy the OAuth 2 Client ID and use this as the Client ID for the Domain Wide Delegation.
5. In the OAuth scopes field, enter a list of comma-separate scopes to grant your application access. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
6. Select Authorize.

It can take from 5 minutes up to 24 hours before you can impersonate all users in your Workspace.