Skip to content
Docs
or

Set up Google service accounts

A service account is a special type of Google account. It represents a non-human user that needs to authenticate and be authorized to access data in the Google APIs.

Service accounts are supported for Google Calendar only.

This page describes how to set up a service account and authorize users.

Create a service account

Follow these steps to create a Google service account:

  1. From the Google Cloud Platform dashboard, navigate to IAM & admin > Service Accounts.
  2. Select your project and click Create service account.
  3. Enter a name, ID, and description for the Service Account.
  4. Click Create and continue. The Google Cloud Platform interface showing the "Create service account" page. The "Service account details" section is displayed, and the ID field is filled in with demo information.
  5. (Optional) Grant the service account access to your GCP app.
  6. (Optional) Grant users access to the service account.
  7. Click Done.

(Optional) Create a service account key

If you choose to delegate domain-wide authority, you’ll need the client ID for your GCP app. You can access it in two ways:

After you have your client ID, follow these steps to delegate domain-wide authority:

  1. From the Google Cloud Platform dashboard, navigate to Security > Access and data control > API controls.

  2. In the Domain wide delegation pane, select Manage domain wide delegation.

  3. Click Add new.

  4. Enter your GCP app’s client ID.

  5. Enter the following OAuth scopes:

    https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/admin.directory.user.readonly

  6. Click Authorize.

Authenticate users with a service account

To authenticate a user with a service account’s credentials, make a Custom Authentication request. Pass the user’s email_address, and include the service account’s credential_id.

You must use a real account, not an alias, when authenticating users with service accounts. The domain names for the service account and the user’s email address must match. For example, if the Service Account credential is [email protected] and the user’s email address is [email protected], the auth process will fail.

curl --request POST \
  --url 'https://api.us.nylas.com/v3/connect/custom' \
  --header 'Accept: application/json, application/gzip' \
  --header 'Authorization: Bearer <NYLAS_API_KEY>' \
  --header 'Content-Type: application/json' \
  --data '{
    "provider": "google",
    "settings":
    {
      "email_address": "[email protected]",
      "credential_id": "<GOOGLE_SERVICE_ACCOUNT_ID>"
    },
    "scope": [
      "https://www.googleapis.com/auth/userinfo.email",
      "https://www.googleapis.com/auth/userinfo.profile"
    ],
    "state": "my-state"
  }'

Currently, you cannot use a service account to bulk authenticate room resources.