Guides
DocumentationDeveloperAcademyCommunitySupportLogin

File Search Google Drive Setup Guide: Service Account with Domain-Wide Delegation

Suggest Edits

This document describes the option available to create a service account with Domain wide Delegation privileges, dedicated for Moveworks to ingest your Google Drive files, users, and groups for permission-enforced File Search. Moveworks will use the Service Account credentials to impersonate a Workspace admin, with privileges to read the desired folders/files, and groups/users of the Workspace.


1. Create Google Cloud Project

  1. Create a Google Cloud Project for Moveworks
    1. Sign into https://console.cloud.google.com/cloud-resource-manager using an account with Google Workspace Super Admin privileges
    2. Click +Create Project
    3. Name the project Moveworks and select the top-level organization OU for your Google Workspace
    4. Click Create
    5. Once completed, click Select Project from Notifications or via Search

2. Grant SDK Scopes to Project

  1. Turn on the Admin SDK and Google Drive APIs for your Google Cloud Project
    1. From the top-left Navigation Menu, click APIs & Services > Enabled APIs & Services.
    2. Click +Enable APIs & Services.
    3. Search for each of the following APIs, and select Enable:
      • Admin SDK
      • Google Drive API

3. Create a Service Account and Generate a JSON Web Token

  1. From the top-left Navigation Menu, click APIs & Services > Credentials.

  2. Click +Create Credentials > Service account.

  3. For Service account name, enter Moveworks

  4. (Optional) Enter Service account description, if desired

  5. Click Create and Continue.

  6. Click Done > Save.

  7. Copy the Service Account email. You’ll need this later.

  8. Create the service account key

    1. Select the newly created Service Account.

    2. Copy the Unique ID and save it for later. You’ll need this later.

    3. At the top of the page, click Keys > Add Key > Create new key.

    4. Make sure the key type is set to JSON and click Create.

      You'll get a message that the service account's private key JSON file was downloaded to your computer. Save this JSON file, as you’ll need this later.

    5. Click Close on the pop-up window.

4. Add API Scopes to Service Account

  1. Add domain-wide delegated OAuth API scopes to the service account
    1. Sign into your Google Admin Console using an account with Super Admin privileges
    2. Navigate through the following: Menu > Security > Access and data control > API controls > Manage Domain-Wide Delegation.
    3. Click Add New.
    4. In the Client ID field, enter the service account's Unique ID saved in Step 2.
    5. Under OAuth Scopes, grant Moveworks the following scopes:
      1. https://www.googleapis.com/auth/admin.directory.group.readonly
      2. https://www.googleapis.com/auth/admin.directory.user.readonly
      3. https://www.googleapis.com/auth/drive.metadata.readonly
      4. https://www.googleapis.com/auth/drive.readonly
    6. Click Authorize.

5. Share Desired Google Drive Folders with Service Account

  1. In this step, make sure that each Google Drive Folder you wish to ingest has been shared access with the new Service Account with Custom Admin privileges that you have built in previous steps.

6. Create Google Drive Connector and Configure File Ingestion

Configure Google Drive Connector in MW Setup

  1. Create a Google Drive connector
  2. Select Service Account Auth
  3. Upload the JSON Key from Step 2
  4. Important: Under “Impersonated User”, provide the email of a Google Workspace admin, or user/service account with access to read all Users/Groups

Configure File Ingestion

Note, if user ingestion has not been set up previously, reach out to your Customer Success team

  1. In the MW Setup, go to the Answers > Ingestions > File Knowledge Screen.
  2. Select the Google Drive Connector and *provide a Name** your File ingestion config
  3. Continue to the Ingestion Details page and Specify each Folder, using the Folder IDs
    1. Copy and paste Folder IDs in the following manner:
      1. If the URL of your Google Drive folder is <https://drive.google.com/drive/folders/FOLDERID, then input the FOLDERID
    2. Please double check that each Folder has been shared access with the new Google Workspace User with Custom Admin privileges that you have built in previous steps
    3. You can assign a Domain to each Folder, i.e IT, HR, Finance, etc.– this Domain is used for tagging in Analytics, enabling you to filter Search usage for each of your domains
  4. Save the File Ingestions

6. Launch File Search to your employees (if not already)

  1. Refer back to the main File Search Self-Serve guide: File Search Self-Serve – Configuration Guide.

Updated about 2 months ago