This page is for the Google Drive (Next Gen) connector and it can only be configured within the new enterprise search configuration experience explained below.
Please visit this documentation to learn more about Next Gen and Classic connectors.
Google Drive is your organization’s primary file storage and collaboration platform. From an enterprise search perspective, it is a rich corpus of documents (Docs, Slides, PDFs, etc.) across Shared Drives, My Drive and Shared with me. Moveworks connects to Google Drive to ingest and index content with its metadata and permissions, ensuring users only see results they’re authorized to view.
Moveworks supports two authentication methods. You will configure one Moveworks Google Drive connector using either method based on your requirements.
Moveworks honors Google Drive ACLs end-to-end:
The Google Drive connector for Moveworks supports file-based content including Docs, Slides, and PDFs along with associated metadata such as titles, MIME types, owners, and permissions.
Files with no extractable text content are excluded from ingestion and will not appear in Moveworks search results. This includes image-only PDFs, scanned documents without an OCR text layer, and blank documents.
Ensure that files you want to be searchable contain readable text rather than purely image-based or blank content.
Moveworks supports two authentication methods for connecting to your Google Drive instance—OAuth 2.0 Authorization Code Grant and Service Account without Domain-Wide Delegation. Both methods securely ingest content from Shared Drives; however, Moveworks recommends OAuth 2.0 because it also enables ingestion of private user content with user consent. Choose the option that best aligns with your organization requirements.
Before you get started, make sure you have everything you need:
Admin permissions
List of Shared Drives to ingest
Before configuring authentication, you’ll need to create and prepare a Google Cloud Project. All subsequent setup steps (Service Account or OAuth 2.0) will be performed within this project.
Create a New Google Cloud Project
Visit the Google Cloud Console.
Under your organization, click New Project.
Enter a project name (for example, Moveworks), select your organization and click Create.
Now that you’ve created your project, the next step is to enable the Google Drive API for it. For all subsequent operations, please make sure you are performing them within the “Moveworks” project, as shown below.
Enable Required APIs
After creating your project, you must enable APIs required for Moveworks integration.
Go to APIs & Services→ Library.
Search for and enable the following APIs:
Google Drive API
Admin SDK API Once enabled, these APIs allow Moveworks to access shared content, read permissions and handle incremental updates.
Generate Credentials
Depending on your authentication method, you’ll generate either an OAuth 2.0 Client or a Service Account key.
Option 1: OAuth 2.0 Authorization Code Grant
The OAuth 2.0 method allows you to ingest shared content by default and optionally include private user content with explicit consent.
Setup Custom Super Admin
You’ll need to create a dedicated Custom Super Admin user within your Google Workspace domain. This user will be used to authorize the Moveworks connector and access shared content.
Steps:
Go to Directory → Users → Add new user.
Enter the user’s first name, last name, and primary email.
(Recommended) Add a recovery/secondary email for account recovery.
Choose a password option: auto-generate a strong password or create a password; store it securely.
Click Add new user.
Keep the new user’s sign-in email handy; you’ll assign the Super Admin role in the next step.
Go to Account → Admin roles.
Select Super Admin, then open the Admins section.
Click Assign users, enter the user’s sign-in email and click Assign role.
Grant Access to Shared Drives
Grant the Custom Super Admin access to every Shared Drive you want Moveworks to index.
Configure OAuth 2.0 Application
Visit the Google Cloud Console
Go to APIs & Services → OAuth Consent Screen
In the Overview section, click Get started.
Under App information, enter:
Audience: select Internal (only users in your Google Workspace domain)
Enter your Google super admin email under Contact Information.
Check the Google API Services User Data Policy acknowledgment.
Click Continue, then Create.
Go to OAuth Consent Screen → Branding
Click +Add Domain, then add moveworks.com as an authorized domain.
Add Developer contact information (e.g. Google admin email)
Click Save
Go to APIs & Services → Credentials → Create Credentials → OAuth Client ID
Application Type: Web Application
OAuth 2.0 client Name: Moveworks App
Add Redirect URI’s mentioned below:
<your_org_name>.moveworks.com/auth/oauthCallback
Replace <your_org_name> with with your Moveworks organization name. (e.g.https://acme.moveworks.com/auth/oauthCallback)
Once complete, a confirmation modal should display your client ID and client secret. Download the JSON file to a secure environment (e.g. your work laptop).
Connect Moveworks to Google Drive (Manual OAuth Setup)
The OAuth 2.0 authorization process for Google Drive is performed manually by your administrator. This process generates a refresh token for your Custom Super Admin account, which must later be entered in the Moveworks Setup Dashboard during connector configuration.
Follow the steps below to generate and verify your OAuth credentials.
Step 1: Initiate OAuth 2.0 Authorization Code Flow
You will manually initiate the OAuth flow to authorize your Custom Super Admin user account and retrieve an authorization code.
Construct the Authorization URL
Use the following Google OAuth 2.0 Authorization endpoint and scopes:
Why These Scopes Are Required
When initiating the OAuth 2.0 Authorization Code Flow, Moveworks requests the following scopes to ensure comprehensive ingestion of Google Drive content and accurate permissions mapping.
Authorize and Retrieve the Authorization Code
Open the constructed URL in a new browser tab.
Sign in using your Custom Super Admin credentials.
Grant the requested permissions when prompted.
After successful authorization, Google will redirect you to:
Copy the authorization code value from the URL — you’ll need it in the next step.
Step 2: Exchange Authorization Code for Access & Refresh Tokens
Use the authorization code to obtain the access token and refresh token. You can perform this request using cURL or Postman.
POST Request:
Parameters Explained:
Save the refresh_token securely — it will be required when configuring the Moveworks connector.
Testing Your OAuth App Refresh Token Access (Optional)
You can verify that your refresh token and scopes work correctly before proceeding.
Get Access Token Using Refresh Token
Use your saved refresh token to generate a new access token.
POST Request:
Sample Response:
Validate API Access
Once you have a valid access token, test your setup using the following sample API calls.
List Files
Once you have successfully hit the /files API and retrieved a file list, copy one of the returned file IDs and use it in the following cURL request to validate file-level permissions.
Get File Permissions
List Users
List Groups
Option 2: Service Account without Domain-Wide Delegation
Use this method to ingest Shared Drives and files explicitly shared with a Service Account — no user impersonation or consent required.
**Create Service Account **
Visit the Google Cloud Console
Go to IAM & Admin → Service Accounts.
Click Create Service Account.
Name it (e.g., moveworks-drive-bot)
Assign the role Project → Editor (can be reduced later).
Select the newly created service account → go to Keys → Add Key → Create new key → JSON.
Click Create and save the downloaded JSON file securely.
Create Custom Admin Role
Log in to the Google Admin Console using your Google Workspace admin credentials.
Go to Account → Admin roles → Create new role.
Enter the role info:
Name: Moveworks
Description: Read users, groups, and organizational units
Under Admin API Privileges, grant:
Click Continue, then Create role.
Assign the service account to the role
Open the custom role you created.
Click Assign service accounts.
Enter the service account email.
Click Add, then Assign role.
Customer ID Reference
When using the Service Account without Domain-Wide Delegation, Moveworks also requires your Google Workspace Customer ID to look up user and group metadata via the Admin SDK endpoints (/users and /groups).
This value ensures that Moveworks can correctly associate Drive permissions with your organization’s directory users and groups during Enterprise Search configuration.
How to Find Your Customer ID
Grant Shared Drive Access
This method enables ingestion of Shared Drives and optionally, private user content (when end-user consent is granted).
Fill out the following fields:
This method ingests content only from Shared Drives or files explicitly shared with the Service Account. It does not impersonate users or ingest private user data.
Fill out the following fields:
Connector Name — Name this connector for your reference. Once set, this name cannot be changed.
Service Account Email — The email ID of your Service Account (<service-account>@<project>.iam.gserviceaccount.com).
Private Key File Upload — Upload a .pem file that contains only the private key (without any line breaks).
Open the JSON file in a text editor (e.g., VS Code or Notepad++).
Copy the string under "private_key".
Remove all \n line breaks so the key becomes a single continuous line.
Save the result in a new file named gdrive_private_key.pem.
Example .pem File Content
System Overview: This presents an overview of Google Drive support from Moveworks
Ingestion Summary: This provides information on the count of records that has been ingested and serving. The values will appear after the first successful ingestion run.
Connector Selection: In this configuration block, you are required to select the required connector to enable Moveworks to connect and fetch data
Content Selection: In this configuration block, you are required to define the content that should be ingested within Moveworks
Once you click on Select Connector, a connector setup screen will appear as follows
Select the connector (from the dropdown) that you have created in the Connector Creation step.
Please note: Only the Google Drive (Next Gen) connectors will appear in this list.
Once the connector is selected, you need to click on Start Validation to validate the connector credentials and required scope.
Connector Validation
This is a mandatory step in order to save the configuration and move to the next step.
Moveworks validates the selected connector to check:
If you’re using Service Account authentication, make sure to enter your Google Workspace Customer ID before starting validation. This allows Moveworks to verify user and group access correctly.
If the connector is validated successfully, you will see a green info banner as follows
Once the connector is validated successfully, you will be able to Save the configuration.
Input the unique configuration name and Save.
Once the configuration is saved, you can view the unique configuration name at the top of the screen. You can also click the pencil 🖊️ icon to edit the configuration name.
Additionally, you will start seeing an entry of your configuration in the Enterprise Search home page. You can click on your configuration to go to edit/ complete the configuration.
Once the connector selection step is complete and the configuration is saved, you will now be required to define the scope of content that will be ingested in Moveworks.
Once you click on Select Content, a content selection screen will appear as follows
In this screen, you are required to define the Shared Drives from which Moveworks will ingest content and apply filters (optionally) to filter down the content further.
Shared Drive Selection: This is a mandatory configuration. This configuration defines which shared drives Moveworks will crawl and ingest content from. As an admin, you get three option
Only selected shared drives (Recommended): Moveworks will ingest content only from the specified shared drives.
When to choose this option?
Choose this option if you want content to be served only from a subset of Shared Drives that are accessible to the Service Account or Custom Super Admin. For example — let’s assume your Service Account or Custom Super Admin has access to 15 Shared Drives, but you only want Moveworks to index 5 of them. In that case, choose this method.
Important Note: The Service Account (or Super Admin account used for OAuth) must have Content Manager access to each specified Shared Drive in order for Moveworks to crawl it successfully.
How to configure? Enter comma-separated Shared Drive IDs or names in the configuration field.
All except selected Moveworks will ingest content from all shared drives except the ones specified.
When to choose this option?
Choose this option if you want Moveworks to index almost all Shared Drives except a few shared drives. For example — let’s assume your Service Account or Custom Super Admin has access to 60 Shared Drives, but you want Moveworks to index only 58 of them. Choose this method and specify the 2 drives you want to exclude.
Important Note: The Service Account (or Super Admin account used for OAuth) must have Content Manager access to each specified Shared Drive in order for Moveworks to crawl it successfully.
How to configure? Enter comma-separated Shared Drive IDs or names in the configuration field.
All Shared Drives: Moveworks will ingest content from all applicable shared drives.
When to choose this option?
Choose this option if you want Moveworks to index content from every Shared Drive available to your Service Account or Custom Super Admin. For example — if your Service Account or Custom Super Admin has access to 20 Shared Drives and you want content from all 20 to be searchable, this method is the simplest choice.
Important Note: The Service Account (or Super Admin account used for OAuth) must have Content Manager access to each specified Shared Drive in order for Moveworks to crawl it successfully.
How to configure? Select this option. You are not required to specify Shared Drive IDs in this case.
Additional Filters: Use these filters to narrow the content ingestion scope further. Only records matching ALL of the the specified criteria will be included.
Currently following filters are supported:
Note: We support absolute dates only. Relative ranges (e.g., “last 7 days,” “older than 1 year”) are not supported.
Once Shared Drives selection is configured, you have two options:
Save: Clicking this will just save the configuration and not initiate the first ingestion crawl. Use this option, if you would want to complete your configuration in multiple sessions/ sittings.
Once you click on Save, you will be redirected to the Google Drive overview screen
You will notice a banner that prompts you to Start Ingestion
Once you are satisfied with your configuration, you can click on Start Ingestion
A confirmation popup will come that provides a summary of the configuration
Click on Confirm
After you click on Confirm, ingestion will start shortly.
For the first crawl to complete, this generally takes anywhere from few hours to 48 hours depending upon the size of the data.
Save and Start Ingestion: Click this option if you have completed and validated your content selection configuration and you are ready to initiate the first ingestion crawl.
A confirmation popup will come that provides a summary of the configuration
Click on Confirm
After you click on Confirm, ingestion will start shortly.
Important Note for Admins:
This section helps you resolve common issues related to credentials or scopes when validating your Google Drive connector in Enterprise Search configuration.
Note: The troubleshooting steps apply to both Service Account and OAuth 2.0 authentication methods unless explicitly mentioned in the steps.
Check Connector Configuration:
Error Message(s):
Possible Causes(s)
Resolution Steps
Test your Google Drive connector in API Playground
/drive/v3/files?corpora=allDrives&supportsAllDrives=true&includeItemsFromAllDrives=true/drive/v3/files?q='me'+in+ownersError Message(s):
Possible Causes(s)
Resolution Steps
Navigate to Google Drive > Shared drives
Select a shared drive where you granted Service Account access
Click Manage members
Confirm the Service Account has Content manager access (not just viewer)
Go to Moveworks Setup > Connectors > API Playground
Import the Google Drive connector used for Enterprise Search
Fetch content with files API endpoint (with query parameters): /drive/v3/files?corpora=allDrives&supportsAllDrives=true&includeItemsFromAllDrives=true
cURL for reference
Copy the id of any file from the API response
Fetch permissions for the file with the permissions API endpoint: /drive/v3/files/{{id}}/permissions?supportsAllDrives=true
cURL for reference
Error Message(s):
Possible Causes(s)
groups > read scope not included in the admin console (only for Service Account auth method)Resolution Steps
groups > read in the custom admin role (created following the Moveworks access requirements guide)Go to Moveworks Setup > Connectors > API Playground
Import the Google Groups connector used for Enterprise Search
Test the groups API endpoint: /groups?customer={{customer_id}} and copy the group email ID of the first group
cURL (for Service Account without Domain Wide Delegation)
cURL (for Oauth 2.0 with refresh token grant)
Test the group members:
cURL for reference
Error Message(s):
Possible Causes(s)
users > read scope not included in the admin console (only for Service Account auth method)Resolution Steps
users > read in the custom admin role (created following the Moveworks access requirements guide)Go to Moveworks Setup > Connectors > API Playground
Import the Google Users connector used for Enterprise Search
Test the users API endpoint:
/admin/directory/v1/users?customer={{customer_id}}
cURL for reference (for Service Account without Domain Wide Delegation)
cURL for reference (for Oauth 2.0 with refresh token grant)