Google Authentication method
For the Google integration to work and your environment to remain secure, an authentication needs to be set-up. In the case of Google, we can make use of service accounts. These are accounts that are designed to be used by applications and services. They allow for retrieving information from the Google platform, if they have been provided the correct permissions. To set up this service account, you need a Google super admin account.
In this article, we will explain:
- How to create a service account
- How to provide the proper permissions
- How to activate the relevant APIs
How to set up a service account
Login and navigate
In the Google cloud environment, there is a sub environment called console. If your account has the proper rights, you can log in at the following link: https://console.cloud.google.com When successfully logged in, click on the top left menu to unfold the menu items. You might need to select the corresponding project for which you want to create the integration.
In the menu, select IAM & Admin. A new pane with options unfolds, select the service accounts option.
Create service account
In the top of this new window, you will see an option to + CREATE SERVICE ACCOUNT.
Once clicked, the setup of the service account is started.
Select a sensible name, so that you can recognise it. If you will only use it for Tidal Control, we suggest to add it to the name, id or description.
The next step is to select a role. When clicking the Roles dropdown menu, click on Basic and select the Viewer role on the right side. Click Continue, we can skip the next step, so we can click on the done button, at the bottom of the form.
Create account json file
The service account has now been created, but we still need to generate a key, so that it can access the environment from our application.
After finishing the creation of the service account, you see a list of all the available service accounts.
Select the account you just created and click on the KEYS tab on the top of the page.
Click on the ADD KEY button and select the Json option.
This will automatically download the json file to your computer. Be sure to save it in a safe location as you will not be able to get this information again.
Additionally, be sure no unauthorized people can access this file, as it may allow them to see information you deem private or business critical.
How to provide the proper permissions
Navigate to admin console
In order to be able to read the user information in your projects, we need to provide the service account with domain wide delegation permissions.
This allows the service account to access information of the domain, and not only the project it has been made in.
To set the domain wide delegation, we need to navigate to the details tab of the service account information.
When clicking on advances settings, we see the client id. For the next step, it's useful to copy this value and save it for now. After copying the client id, we can click the button VIEW GOOGLE WORKSPACE ADMIN CONSOLE, which takes us to the https://admin.google.com environment.
In the Admin page, open the menu on the top left of the page.
Select the Security option, then select the Access and data control option, and finally the API controls option.
This brings us to the API controls page, where on the bottom right of the screen, we see a button MANAGE DOMAIN WIDE DELEGATION.
Setting the scopes for the account
When clicking the button, we see a table with all the client ids which have been grated domain wide delegation. To add our newly created service account, we click Add new. A prompt opens and lets uss fill in the client id which we saved a few steps back. Additionally, we need to add the scopes to which the service account required access to. These scopes should be added delimited with a comma. The current scopes are:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/cloud-platform
You can copy the following line into the scopes box: https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/cloud-platform
After filling in the scopes, click the AUTHORIZE button.
This concludes setting the permissions for the service accounts. The next step will handle the activation of the relevant APIs.
How to activate the relevant APIs
The Google cloud platform does not automatically open its doors for service accounts to retrieve information through the API. For the service account to be able to access the relevant information, we need to enable a few API's.
Navigate
First we need to log in on https://console.cloud.google.com.
This can be done in the menu in the top left corner and selecting the APIs and services option.
On the top of the page you will see a button + ENABLE APIS AND SERVICES,
Finding the APIs in the library
When clicking this, you are redirected to the API library. From here you can search APIs and enable or disable them. By default, the APIs are disabled. For the automation to work, we need to enable the following APIs:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Admin SDK API
When searching each of the above APIs, select the search result and then on the details page of the API, click the ENABLE button.