Documentation
DocumentationDeveloperAcademyCommunitySupportLogin

File Search Google Drive Setup Guide: Service Account with Custom Admin Role

Suggest Edits

Note: This document describes the option available to create a Service Account with Custom Admin privileges, dedicated for Moveworks to ingest your Google Drive files, users, and groups for permission-enforced File Search.

1. Create Google Cloud Project and Grant Scopes to Moveworks Project

1. Create Google Cloud Project

  1. Create a Google Cloud Project for Moveworks
    1. Sign into https://console.cloud.google.com/cloud-resource-manager using an account with Google Workspace Super Admin privileges
    2. Click +Create Project
    3. Name the project Moveworks and select the top-level organization OU for your Google Workspace
    4. Click Create
    5. Once completed, click Select Project from Notifications or via Search

2. Grant SDK and API Scopes to Project

  1. Turn on the Admin SDK and Google Drive APIs for your Google Cloud Project
    1. From the top-left Navigation Menu, click APIs & Services > Enabled APIs & Services.
    2. Click +Enable APIs & Services.
    3. Search for each of the following APIs, and select Enable:
      • Admin SDK
      • Google Drive API

2. Create a Service Account and Save Service Account Key

  1. Navigate to APIs & Services > Credentials

  2. Select Create Credentials > Service Account

  3. Create the Service account by adding the name, ID and description and select Create and Continue - Note: Granting access to a project or Granting users access to this service account is optional

  4. Click on Actions > Manage keys

  5. Select Add Key > Create new key

  6. Select JSON as the Key type and click Create. You should see a notification that the service account JSON file has been downloaded and saved to your computer.

  7. Save this Service Account JSON Key

Get and Save Customer ID for your Google Workspace

  1. Follow the instructions here to grab the Customer ID:
    1. Go to Admin Console, select Account → Account Settings → Profile
    2. Save the Customer ID
    3. Instructions here at: https://support.google.com/a/answer/10070793?hl=en

3. Create and Assign a Custom Admin Role for Reading Groups/Users

  1. Create a Custom Admin Role, via these instructions here from Google
    1. Navigate to Google Admin Console, and create a new Admin Role
    2. Select the following privileges to assign to the Role
      1. Users → Read Users
      2. Groups → Read Groups
    3. Create the Role
    4. Assign the new custom admin role to the Service Account you created in Step 2 Above, by following the steps here.

4. Share Desired Google Drive Folders with Service Account

  1. In this step, make sure that each Google Drive Folder you wish to ingest has been shared access with the new Service Account with Custom Admin privileges that you have built in previous steps.


  2. Add the Service Account as Content Manager. If your preference is to only grant Viewer access, please make sure that you have edited the following Shared Drive setting, allowing Viewers to download files:

5. Configure File Ingestion using the Google Drive Connector

Configure Google Drive Connector in MW Setup

  1. Create a Google Drive connector

  2. Select Service Account Auth

  3. Open the JSON Key text file from Step 2 and copy the content of the "private_key"

  4. Open a new text file and paste the private key. Make sure new line characters, if applicable, are replaced with new lines. Once formatted correctly save the file as a .pem file type.

    1. The formatting show look similar to the below:

  5. Upload the .pem file from the previous step in the Gdrive Service Account Auth Private Key field.

  6. Leave “Impersonated User” as blank, given there is no Domain Wide Delegation

Add Google Drive as an Identity Source in User Ingestion

  1. Navigate to the User Identity module within Moveworks Setup and click 'import users'
  2. Under 'Select sources to ingest employees' add Google Drive to the list of sources using the Google Drive connector your created in step 1 above to import the users google drive details.
  3. Click next to advance to the next page where you will see Google Drive under Configure selected sources. Click the pencil next to the Google Drive source and then select Gdrive Source Filter. You will then need to input the Customer ID that you previously saved into the Google Workspace Customer ID field.
  4. Click next to advance to the Set join key page and select the appropriate field to merge the google drive record data with the data from other sources. This will typically be primaryEmail.

Configure File Ingestion

Note, if user ingestion has not been set up previously, reach out to your Customer Success team

  1. In the MW Setup, go to the Answers > Ingestions > File Knowledge Screen.
  2. Select the Google Drive Connector and *provide a Name** your File ingestion config
  3. Continue to the Ingestion Details page and Specify each Folder, using the Folder IDs
    1. Copy and paste Folder IDs in the following manner:
      1. If the URL of your Google Drive folder is <https://drive.google.com/drive/folders/FOLDERID, then input the FOLDERID
    2. You can assign a Domain to each Folder, i.e IT, HR, Finance, etc.– this Domain is used for tagging in Analytics, enabling you to filter Search usage for each of your domains
  4. Select Use Google Drive connector Only, as this is the only connector needed for reading both files and permissions (users and groups).
  5. Save the File Ingestion

6. Launch File Search to your employees (if not already)

  1. Refer back to the main File Search Self-Serve guide: File Search Self-Serve – Configuration Guide.

Updated 3 days ago