Only show these results:

Google Workspace Service Accounts

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Only Google Calendar is supported.

You'll learn how to set up your Service account and authorize users.

Google Workspace Service Accounts Set Up

Step 1 Create Service Account

  1. Open Service Accounts in the Google Cloud Platform.
  2. Select your project and click Create Service Account.

Step 2 Service Account Details

  1. Fill out the form for Service account name, Service account ID ,and Service account description.
  2. Click Create and Continue.

Create Service Account

Step 3 Grant This Service Account Access to Project

This is an optional step and can be skipped. The project defaults to owner access.

Step 4 Grant Users Access to This Service Account

This is an optional step and can be skipped.

Step 5 Create Service Account Key

  1. Select the account from the list of Service accounts.
  2. Click Keys.
  3. Select Add Key > Create new key
  4. Select JSON and a new key will be downloaded. Treat your key like a password and store it securely.

Create a new key. Google Service Accounts

Step 6 Delegate Domain Wide Authority

You'll need your Client ID. You can access that in two ways:

  • The key you downloaded in Step 5 will have the Client ID.
  • The Unique ID on the Details page.

Shows the Google Service Account details page with the client ID highlighted.
You can get your Client ID from the details page.

Shows the Google service account keys JSON download with the client ID highlighted.
You can get your Client ID from the service accounts JSON download.

  1. Go to Google Workspace Admin console.
  2. Go to Security > API Controls.
  3. Under Domain wide delegation , click Manage Domain Wide Delegation.
  4. Click Add New
  5. Enter the Client ID.
  6. In the OAuth scopes field, enter the following text:
https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/admin.directory.user.readonly   

Click Authorize.

Authenticate Users

To authenticate a user using a service account's credentials, pass the user email as email_address. The settings object will contain the service account's credentials.

Aliases and Service Accounts

You must use the real account, rather than an alias, when authenticating users with service accounts. The domain names for the service account and the user must match. For example, if the service account credential is under @contoso.com but the user account is @bravo.com, it will fail.

curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "nyla@gmail.com", # Account to be authenticated
"provider": "gmail",
"settings": {
"service_account_json": { # Service account credentials
"type": "service_account",
"project_id": "my-google-app-123456",
"private_key_id": "68915b4e55baac9191dd32e0be784687c6873b14",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIE....fZ1F8=\n-----END PRIVATE KEY-----\n",
"client_email": "test-service-account@my-google-app-123456.iam.gserviceaccount.com",
"client_id": "10569134234239528168761",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40my-google-app-123456.iam.gserviceaccount.com"
}
}
"scopes": "calendar"
}'