Google Workspace Service Accounts
A service account is a special type of Google account that represents a non-human user that needs to authenticate and be authorized to access data in Google APIs. Only Google Calendar is supported.
In this guide, you'll learn how to set up your service account and authorize users.
Google Workspace Service Accounts Setup
Create Service Account
- Open Service Accounts in Google Cloud Platform.
- Select your project and click Create Service Account.
Service Account Details
- Fill in the Service account name, Service account ID ,and Service account description fields.
- Click Create and Continue.
- You can also complete the two optional steps if you'd like to grant the account access to a project or grant users access to the account.
Create Service Account Key
- Select the account from the list of service accounts.
- Click Keys.
- Select Add Key.
- Click Create new key.
- Select JSON and a new key will be downloaded. Make sure to store this key somewhere safe.
Delegate Domain Wide Authority
You'll need your Client ID for this step. You can access it in two ways:
- The key you downloaded above will have the Client ID.
- The Unique ID on the Details page.
You can get your Client ID from the service accounts JSON download.
You can also get your Client ID from the details page.
-
Log in to the Google Workspace Admin console.
-
From the Main menu, click Security > Access and data control > API controls.
-
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
-
Click Add New.
-
Enter the Client ID obtained from the service account creation steps above.
-
In the OAuth Scopes field, enter the following text:
https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/admin.directory.user.readonly
-
Click Authorize.
Authenticate Users
To authenticate a user using a service account's credentials, pass the user email as email_address
. The settings
object will contain the service account's credentials.
Aliases and Service Accounts
You must use the real account and not an alias when authenticating users with service accounts. The domain names for the service account and the user must match. For example, if the service account credential is under @contoso.com
but the user account is @bravo.com
, it'll fail.
curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "[email protected]", # Account to be authenticated
"provider": "gmail",
"settings": {
"service_account_json": { # Service account credentials
"type": "service_account",
"project_id": "my-google-app-123456",
"private_key_id": "68915b4e55baac9191dd32e0be784687c6873b14",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIE....fZ1F8=\n-----END PRIVATE KEY-----\n",
"client_email": "tes[email protected]",
"client_id": "10569134234239528168761",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40my-google-app-123456.iam.gserviceaccount.com"
}
}
"scopes": "calendar"
}'