Google Service Account connections provide the Transformation Suite with access across an entire Google domain.

Google Service Account connections are the recommended method of connecting to G Suite (formerly Google Apps), as they provide enhanced performance and functionality.

Prerequisites

1. A Google Super Administrator account for the Source/Target Google Domain

2. Access to the Google Admin Console

3. Access to the Google Developer's Console (Admin)

4. Administrator access to the Transformation Suite and selected Transformation Project

Create a Google Developer Console Project

Refer to the following article for information about service account creation:  https://developers.google.com/accounts/docs/OAuth2ServiceAccount

  1. Navigate to Google Developers Console  (https://console.developers.google.com) and login with your Google Admin account.

  2. Create a project.

  3. Choose a Name and Location for the project.

Create a Service Account

  1.  Once a project has been created, click the "Use Google APIs" card and then navigate to the "Credentials" section.

  2. Expand the "Create Credentials" drop down menu, and click on "Service account key." You can leave the Role as undefined. 

  3. Create the new service account.

Note: When a service account is created, a new Public/Private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely.

JSON (recommended): If a JSON key is generated, creating a Google Service Account connection in the AppBridge Transformation Platform is simplified.

P12: Using a P12 certificate is sufficient for creating Google Service Account connections, but requires the service account email, certificate password (provided when the certificate is generated) in order to create the connection.  

Enable Project APIs, Increase Quotas, and Authorize API Scopes
 

  1.  Navigate to the "API Manager" section. Enable APIs for Drive API, Calendar API, Gmail API, Admin SDK, Contacts API and Google+ API under the "Google APIs" section in the overview menu.




    Search for "Tasks API," "Groups Migration API," "Groups Settings API," and enable each.

     


    Once all above API scopes are enabled, select each API and manually increase the Quotas under the "Quotas" section.  

    Note: Quotas will be capped at a certain level so the displayed number does not reflect the actual quota level in most cases. In order to exceed this quota cap, you must apply for an increase to Google directly by selecting the "Apply for higher quota" link in this section.

  2.  Navigate to Admin Console in the target Google Domain.  Under "Security," click on "Advanced Settings" and locate the "Manage API Client Access" option in the Authentication section.  





    Click on the "Manage API Client Access" link.  Input the "Client ID" for your GCE Service account (found in the API Manager section under "Credentials"), and delegate the following API scopes:

    The API scopes can be added at once by copy/pasting the list of strings below into the API Scopes field.

    https://apps-apis.google.com/a/feeds/emailsettings/2.0/,
    https://spreadsheets.google.com/feeds,
    https://www.google.com/m8/feeds,
    https://www.googleapis.com/auth/admin.directory.group,
    https://www.googleapis.com/auth/admin.directory.group.member,
    https://www.googleapis.com/auth/admin.directory.orgunit,
    https://www.googleapis.com/auth/admin.directory.resource.calendar,
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/apps.groups.migration,
    https://www.googleapis.com/auth/apps.groups.settings,
    https://www.googleapis.com/auth/calendar,
    https://www.googleapis.com/auth/drive,
    https://www.googleapis.com/auth/drive.appdata,
    https://www.googleapis.com/auth/drive.file,
    https://www.googleapis.com/auth/gmail.modify,
    https://www.googleapis.com/auth/tasks,
    https://www.googleapis.com/auth/userinfo.email,
    https://sites.google.com/feeds,
    https://www.googleapis.com/auth/gmail.settings.basic,
    https://www.googleapis.com/auth/gmail.settings.sharing


    Note: Repeat this process for each service account created for the project.


Create a Google Service Account Connection in the Migration Platform

Using a JSON Certificate (Recommended)

  1. Sign into an authorized Transformation Suite administrator account.
  2. Click the Connections link in the pages navigation tabs.
  3. Click the Add button in the Connections list. 
  4. Input a name for the Connection in the Name field.
  5. Select Google Service Account from the Type drop down menu.
  6. Input a super user email address in the Admin Email field.
  7. Click the Choose File button in the Service Certificate field, and upload the JSON security certificate generated when the Service account was created.Click the Connect button to verify the credentials for the service account. If a failure message is presented, check the scopes and client ID of the service account to ensure accuracy.
  8. Click the Add Connection button to validate and add the Connection.

Note; For large domains, service accounts can take some time to propagate through the domain. If your client ID and scope authorization looks correct, wait 24 hours and attempt to connect with the same credentials again.


Using a P12 Certificate (Not Recommended)

  1. Sign into an authorized Transformation Suite administrator account.

  2. Click the Connections link in the pages navigation tabs.

  3. Click the Add button in the Connections list. 

  4. Input a name for the Connection in the Name field.

  5. Select Google Service Account from the Type drop down menu.

  6. Input a super user email address in the Admin Email field.

  7. Click the Choose File button in the Service Certificate field, and upload the P12 security certificate generated when the Service account was created.

  8. Enter the service account email address from the previously generated service account in the Service Email field.

  9. Enter the certificate password for the P12 certificate in the Certificate Password field

  10. Click the Connect button to verify the credentials for the service account. If a failure message is presented, check the scopes and client ID of the service account to ensure accuracy.

    Note: For large domains, service accounts can take some time to propagate through the domain. If your client ID and scope authorization looks correct, wait 24 hours and attempt to connect with the same credentials again.

  11. Click the Add Connection button to validate and add the Connection.

 

 

Attachments: