For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
  • Getting Started
    • Welcome to Moveworks
    • Roadmap & Release Notes
    • Moveworks Best Practices
    • Labs
    • Professional Services
    • Support
  • AI Assistant
    • AI Assistant Overview
    • Capabilities
    • Web Experiences
    • Analytics & Performance
  • Enterprise Search
    • Overview
    • Agentic RAG Overview
    • Content Ingestion Platform
    • Profile Boosting
    • Retrieval
    • Permissions Platform
    • Built-in Content Connectors
    • Build your own Content Connectors
    • Configure Search
      • File Ingestion
        • File Search FAQ
        • How to Configure ServiceNow File Ingestion
        • How to Configure Google Drive File Search
        • Troubleshooting File Ingestion From Google Drive
        • File Search Google Drive Setup Guide: Service Account with Domain-Wide Delegation
      • Internal Knowledge Ingestion
      • Moveworks FAQ (Google Sheets Integration)
      • Indexed Content
      • Configure Search Plugin Settings
      • Content / Search Troubleshooting Guide
    • Configure Enterprise Search
    • Vetted Content
    • Writing AI-Ready KB Articles
    • Document Chunking and Snippetization Overview
  • Productivity Boost
    • Overview
    • Configure Productivity Boost
    • Quick GPT
    • Calendar Management
    • Brief Me
DeveloperAcademyCommunityStatus
On this page
  • 1. Create Google Cloud Project
  • 2. Grant SDK Scopes to Project
  • 3. Create a Service Account and Generate a JSON Web Token
  • 4. Add API Scopes to Service Account
  • 5. Share Desired Google Drive Folders with Service Account
  • 6. Create Google Drive Connector and Configure File Ingestion
  • 7. Launch File Search to your employees (if not already)
Enterprise SearchConfigure SearchFile Ingestion

File Search Google Drive Setup Guide: Service Account with Domain-Wide Delegation

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Internal Knowledge Ingestion

Next
Built with

The recommended approach for access is with a custom admin role. The following instructions are functional but Moveworks is unsure if Google has any plans to deprecate this.

This document describes the option available to create a service account with Domain wide Delegation privileges, dedicated for Moveworks to ingest your Google Drive files, users, and groups for permission-enforced File Search. Moveworks will use the Service Account credentials to impersonate a Workspace admin, with privileges to read the desired folders/files, and groups/users of the Workspace.

1. Create Google Cloud Project

  1. Create a Google Cloud Project for Moveworks
    1. Sign into https://console.cloud.google.com/cloud-resource-manager using an account with Google Workspace Super Admin privileges
    2. Click +Create Project
    3. Name the project Moveworks and select the top-level organization OU for your Google Workspace
    4. Click Create
    5. Once completed, click Select Project from Notifications or via Search

2. Grant SDK Scopes to Project

  1. Turn on the Admin SDK and Google Drive APIs for your Google Cloud Project
    1. From the top-left Navigation Menu, click APIs & Services > Enabled APIs & Services.
    2. Click +Enable APIs & Services.
    3. Search for each of the following APIs, and select Enable:
      • Admin SDK
      • Google Drive API

3. Create a Service Account and Generate a JSON Web Token

  1. From the top-left Navigation Menu, click APIs & Services > Credentials.

  2. Click +Create Credentials > Service account.

  3. For Service account name, enter Moveworks

  4. (Optional) Enter Service account description, if desired

  5. Click Create and Continue.

  6. Click Done > Save.

  7. Copy the Service Account email. You’ll need this later.

  8. Create the service account key

    1. Select the newly created Service Account.

    2. Copy the Unique ID and save it for later. You’ll need this later.

    3. At the top of the page, click Keys > Add Key > Create new key.

    4. Make sure the key type is set to JSON and click Create.

      You’ll get a message that the service account’s private key JSON file was downloaded to your computer. Save this JSON file, as you’ll need this later.

    5. Click Close on the pop-up window.

4. Add API Scopes to Service Account

  1. Add domain-wide delegated OAuth API scopes to the service account
    1. Sign into your Google Admin Console using an account with Super Admin privileges
    2. Navigate through the following: Menu > Security > Access and data control > API controls > Manage Domain-Wide Delegation.
    3. Click Add New.
    4. In the Client ID field, enter the service account’s Unique ID saved in Step 2.
    5. Under OAuth Scopes, grant Moveworks the following scopes:
      1. https://www.googleapis.com/auth/admin.directory.group.readonly
      2. https://www.googleapis.com/auth/admin.directory.user.readonly
      3. https://www.googleapis.com/auth/drive.metadata.readonly
      4. https://www.googleapis.com/auth/drive.readonly
    6. Click Authorize.

5. Share Desired Google Drive Folders with Service Account

  1. In this step, make sure that each Google Drive Folder you wish to ingest has been shared access with the new Service Account with Custom Admin privileges that you have built in previous steps.

6. Create Google Drive Connector and Configure File Ingestion

Configure Google Drive Connector in MW Setup

  1. Create a Google Drive connector

  2. Select Service Account Auth

  3. Open the JSON Key text file from Step 2 and copy the content of the “private_key”

  4. Open a new text file and paste the private key. Make sure new line characters, if applicable, are replaced with new lines. Once formatted correctly save the file as a .pem file type.

    1. The formatting show look similar to the below:

  5. Upload the .pem file from the previous step in the Gdrive Service Account Auth Private Key field.

  6. Important: Under “Impersonated User”, provide the email of a Google Workspace admin, or user/service account with access to read all Users/Groups

Configure File Ingestion

Note, if user ingestion has not been set up previously, reach out to your Customer Success team

  1. In the MW Setup, go to the Search > Configure Search > Classic Ingestion > Files.
  2. Select the Google Drive Connector and provide a Name* your File ingestion config
  3. Continue to the Ingestion Details page and Specify each Folder, using the Folder IDs
    1. Copy and paste Folder IDs in the following manner:
      1. If the URL of your Google Drive folder is <https://drive.google.com/drive/folders/FOLDERID, then input the FOLDERID
    2. Please double check that each Folder has been shared access with the new Google Workspace User with Custom Admin privileges that you have built in previous steps
    3. You can assign a Domain to each Folder, i.e IT, HR, Finance, etc.– this Domain is used for tagging in Analytics, enabling you to filter Search usage for each of your domains
  4. Save the File Ingestions

7. Launch File Search to your employees (if not already)

  1. Refer back to the main File Search Self-Serve guide: File Search Self-Serve – Configuration Guide.