# Setting up Google service accounts

Source: https://developer.nylas.com/docs/provider-guides/google/google-workspace-service-accounts/

A service account is a special type of Google account. It represents a non-human user that needs to authenticate and be authorized to access data in the Google APIs.

> **Info:** 
> **Service accounts are supported for Google Calendar only**.

This page describes how to set up a service account and authorize users.

## Create a service account

Follow these steps to create a Google service account:

1. From the Google Cloud Platform dashboard, navigate to **IAM & admin > Service Accounts**.
2. Select your project and click **Create service account**.
3. Enter a **name**, **ID**, and **description** for the Service Account.
4. Click **Create and continue**.
   ![The Google Cloud Platform interface showing the "Create service account" page. The "Service account details" section is displayed, and the ID field is filled in with demo information.](/_images/service-accounts/google_create_service_account.png "Create service account")
5. (Optional) Grant the service account access to your GCP app.
6. (Optional) Grant users access to the service account.
7. Click **Done**.

### (Optional) Create a service account key

If you choose to delegate domain-wide authority, you'll need the client ID for your GCP app. You can access it in two ways:

- Using the [service account key](#optional-create-a-service-account-key), if you made one.
  ![A close-up of a JSON snippet. The "client_id" parameter is circled in red.](/_images/service-accounts/google_service_client_id_json.png "Client ID in Service Account key")
- From the Details page for your GCP app.
  ![A close-up of the Google Cloud Platform interface. The "Details" page for an application is shown, and the "Unique ID" field is circled in red.](/_images/service-accounts/google_service_accounts_client_id_details_page.png "Unique ID in application details")

After you have your client ID, follow these steps to delegate domain-wide authority:

1. From the Google Cloud Platform dashboard, navigate to **Security > Access and data control > API controls**.
2. In the **Domain wide delegation** pane, select **Manage domain wide delegation**.
3. Click **Add new**.
4. Enter your GCP app's **client ID**.
5. Enter the following **OAuth scopes**:
   - `https://www.googleapis.com/auth/userinfo.email`
   - `https://www.googleapis.com/auth/userinfo.profile`
   - `https://www.googleapis.com/auth/calendar`
   - `https://www.googleapis.com/auth/admin.directory.user.readonly`
6. Click **Authorize**.

## Authenticate users with a service account

To authenticate a user with a service account's credentials, make a [Bring Your Own Authentication request](/docs/reference/api/manage-grants/byo_auth/). Pass the user's `email_address`, and include the service account's `credential_id`.

> **Info:** 
> **You must use a real account, _not_ an alias, when authenticating users with service accounts**. The domain names for the service account and the user's email address must match. For example, if the Service Account credential is `service@example-1.com` and the user's email address is `leyah@example-2.com`, the auth process will fail.

```bash
curl --request POST \
  --url 'https://api.us.nylas.com/v3/connect/custom' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <NYLAS_API_KEY>' \
  --header 'Content-Type: application/json' \
  --data '{
    "provider": "google",
    "settings":
    {
      "email_address": "user@gmailworkspace.com",
      "credential_id": "<GOOGLE_SERVICE_ACCOUNT_ID>"
    },
    "scope": [
      "https://www.googleapis.com/auth/userinfo.email",
      "https://www.googleapis.com/auth/userinfo.profile"
    ],
    "state": "my-state"
  }'
```

Currently, you cannot use a service account to bulk authenticate room resources.