Pre-Requisites
Install Requirements
note
This is specific to Self Hosted deployments. For Sath hosted connectors, these requirements are already in place.
- You need to install Helm version 3 or above.
- You can use Kubernetes cluster (1.26 or above) to install the connector
Connection Requirements
Below is needed to connect to Google Workspace
Domain URL
It is a core part of a website's URL (its Internet address) managed in Google Workspace. To get this, you need a working instance of Google Workspace source.
- Go to Google Admin Console as Super Admin User
- Go to Account > Domains > Manage Domains
- Pick the domain to manage. E.g. sath.com
Admin User
This is a Service Account in Google Workspace and needs to have certain roles. To create new, follow below steps:
- Go to Google Admin Console as Super Admin User
- Go to Users and Click Add New User.
- Add First Name, Last Name and Primary Email and click Add New User
To Add Roles follow below steps:
- Post User creation, Select the User from the User table
- Click on Admin roles and Privileges section
- Edit and assign required roles
Google Workspace Pre-Built Roles
- The User Management Admin role in Google Workspace allows managing users, resetting passwords, and creating new accounts.
- The Groups Admin role enables managing Google Groups, including creating, modifying, and deleting groups, as well as adjusting group settings.
- The Super Admin role has full control over the entire Google Workspace environment, including managing billing, security settings, and all administrative controls, making it the highest-level role with unrestricted access to all features and settings in Google Workspace.
- To manage users with an admin role, you need to provide super admin role
- Super admin has the ability to manage all google workspace roles as well.
- If you want to manage Google Drive, then make sure that you provide the super admin role to the service account.
For more details, visit Google Workspace Support.
To Add License follow below steps:
- Go to Billing > Subscriptions
- Click Add or upgrade a subscription and choose atleast ‘Google Workspace Business Standard’ license or higher for using IDHub.
- Post purchase, Go to Users and select the user email
- Click on Licenses and click on Edit icon to open edit view.
- Click on Radio button in Status column in licenses table of the user on the license desired and click Save
info
- We pull Shared drive information from the Workspace Service Account. It is recommended that the account info provided not have any personal drive or files as that will get pulled as entitlements as well.
- Super Admin User should not be used as day to day accounts
GCP Service Account
To get a GCP Service Account, GCP project setup with correct API configuration is needed. Follow below steps:
- Google Project Configuration
Ensure that you perform the following steps before generating a Private Key for Service Account:
- Ensure that a GCP Organization is available.
- Create a project in Google Cloud Platform Console (either a user with Super Admin or Project Creator privileges should create the project).
- Select APIs & Services > Library in the left sidebar to enable the API for the following:
- Admin SDK API (For Google Workspace Management)
- Google Drive API (For Google Drive Permission Management)
- Create Service Account and generate private key
- Go to IAM & Admin > Service Accounts
- Select + Create Service Account
- Enter details (name, account ID, description) to Create account and Click Done
- Store the system generated Client ID of the Service Account
- Next is to add scopes to the service account to enable APIs
- Add Scope to service account
- Go to Google Admin Console as Super Admin User
- Go to Security > API Controls
- Select Manage Domain Wide Delegation
- Select Add New and enter your service account Client ID
You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account (For example:
"client_id":"102996919678308170059") or in the Google Cloud Console (go to IAM & Admin > Service accounts > your service account) - In OAuth Scopes, enter the scopes as required. To add more than one scope, use a comma (,) as a separator (See Scope table below)
- Select Authorize.
WARNING
If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes. Retry with correct Client ID and the app should be available for use within minutes, but can take up to 24 hours.
Scope
| Scope | Purpose |
|---|---|
| https://www.googleapis.com/auth/admin.directory.group | Group Provisioning |
| https://www.googleapis.com/auth/admin.directory.user | User Provisioning |
| https://www.googleapis.com/auth/drive | Drive Provisioning |
| https://www.googleapis.com/auth/admin.directory.user.readonly | User Reconciliation |
| https://www.googleapis.com/auth/admin.directory.group.readonly | Group Reconciliation |
| https://www.googleapis.com/auth/drive.readonly | Drive Reconciliation |
WARNING
Service account keys could pose a security risk if compromised. Delete and Create new keys for service account every month to mitigate this risk.
Private Key
To generate Private Key of the GCP service account, perform below steps:
- Go to IAM & Admin > Service Accounts
- In Filter table, select email address on the newly created service account
- To generate private key , go to Keys tab, select Add Key > Create new key and then select the type ‘JSON’
- Select Create. This will download the key to your PC in JSON Format.
- Click Close.
To convert Service Account Private Key to RSA Format
- Open the JSON file for the service account and copy the private key value into the new file.
-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClZ\n7rXSI1qFJh6fyVpSnDyiaSutOSHEYFq7A08e0fexmxC\nqGT7KWUOVXEJgcyezPheqqoRGT2dcS07s2mri\niy0an+F1G/KIWx7eI195SBAIK99vyN3wCtG/uqaex2gIE+dVcXJNFFDa\\nLSdtZKBmgzIjQT7Kh4KMMFXKoZ9G4hVwYmLYkN5AXhQK2GVibw4XB7eZlPoIJNVpxlsA0G8qDtROP8HZ+YQaC1ohZ\nuzorjsV0ptCf9FONypa26SU1jEbHbQeh4nLe33vlBA1q7+1CgHNLZ6U/iXFog0mkVE3XLFoAmcweOZcO5ScIplC5KtDB3\nO9mrh58N3xauPJe3JeM3bAgMBAAECggEAE3rY8rEfvnuNzaIbH4Bd4aKQ8OZq96FPKEQuoY3fU/7zEb1P+eh7zKlcC65BZqkQeI20Q8PrkWxFKH/OanPLz1+vhG0VfAJdtVjoSQhquO1giE2yI/tPiCf410K3+tDIr5NCHO/QFkFG7D/4cNJaE7slTV3oyx3Hgg2HE0WNKT7WBfDNEc4RLx9iaYHnSuflRrnPFArkQbuzJIMCvn8z9P3dPhElN5ri3nKymqWF5l0lsLx2ehSZuPesns1ZjFpaXRVGxqP1w4ORkl6VGxBhtF2qezjfn6OJy9e+7C74mAu1AgqZpOsnHoi8rfKVBqJC5tfrmUKzqLsCbl980e9GMQKBgQDoc/9FtuRe+E7oZvm55/4bWagd5UYCd9jVL7U5npVGCpdNBYMFNdfcOeCKEi9lMFfPaXfzxYewWXZIIXhxWyzALBuV2+lQTqfE2cKhH1BmdOgEcFAMD0k/IBPJvlt69z26Ufh5xlpl8u77WUfX0D0NiVhVD4PwfpgEagdK6KQ+0wKBgQC2K\\nQmriY7dZxl7/mGi1IjcSFSiJJ6cWAfLbnXhPTLAPsbbi/sUjGrBZlvjUSh7gZwspHCxc83sz3PU4zf2DEhprag5j\nnPd1eL/vDQwZsSNMmY04PEco9LEDb25yKArSweVQFdCot5pXEsoEgkg/XKNSfUUqoBRYi/9zLrwREwf2QKBgQCC2ils+RN9UpI4yR7yw+GLS+ETUykh4o0xFPYTRW4KS5P4S44BtNmaown/L1V2xMvpeh\nmIJD3Jy9KFsDG4vfZnB21P4sdn6Z8PdPXW9WWxB0ZEmWS2JTS6UDhTbNDaW6tn4xTYmAvzL9nPq+aBWjvEDvimiWFgVCMG+Ri51lP++QKBgG/xykqLr6tqV6P2kWPyvuS44qH+ZSbphmjDSlgQNucj7Ssw\n3C0lmdmeoOuSjZFQ9nwM1mCHLU7Rsnpq5JIlvD6NhOtSGuyCLA1DSMNR9IpdJahrcGFMYBMx6p2IqL3STyeusbF2y73uBRXr94Y5mzMu9xkrKs5Yy+tp7JwJLMsJAoGAQSoQjWWVQ53q6qZYf3f1aprXIE034vC7BJRcpu\nCMyeBahMjfe8ZV4IVBEccOCIdKPJDKrxSagCb0QgH1q5MoyLz0O1A\n5h+9wdGE5a11LXH9qSSpHMZFpCpVITDBmhiEM2bBMDftnE/nv3aUnhIQMJ2JZstK2nrg0uEfcBwyRc4g=\n-----END PRIVATE KEY-----\n
- Replace all
\nfrom the private key with an actual new line. In private key syntax,\ndenotes a new line. The can be done in most text editors.- For example, in Notepad++, perform a replace all where you replace
\\nwith\n. - Example: Converted Key
- For example, in Notepad++, perform a replace all where you replace
-----BEGIN PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClZ7rXSI1qFJh6fyVpSnDyiaSutOSHEYFq7A08e0fexmxCqGT7KWUOVXEJgcyezPheqqoRGT2dcS07s2mriiy0an+F1G/KIWx7eI195SBAIK99vyN3wCtG/uqaex2gIE+dVcXJNFFDaLSdtZKBmgzIjQT7Kh4KMMFXKoZ9G4hVwYmLYkN5AXhQK2GVibw4XB7eZlPoIJNVpxlsA0G8qDtROP8HZ+YQaC1ohZuzorjsV0ptCf9FONypa26SU1jEbHbQeh4nLe33vlBA1q7+1CgHNLZ6U/iXFog0mkVE3XLFoAmcweOZcO5ScIplC5KtDB3O9mrh58N3xauPJe3JeM3bAgMBAAECggEAE3rY8rEfvnuNzaIbH4Bd4aKQ8OZq96FPKEQuoY3fU/7zEb1P+eh7zKlcC65BZqkQeI20Q8PrkWxFKH/OanPLz1+vhG0VfAJdtVjoSQhquO1giE2yI/tPiCf410K3+tDIr5NCHO/QFkFG7D/4cNJaE7slTV3oyx3Hgg2HE0WNKT7WBfDNEc4RLx9iaYHnSuflRrnPFArkQbuzJIMCvn8z9P3dPhElN5ri3nKymqWF5l0lsLx2ehSZuPesns1ZjFpaXRVGxqP1w4ORkl6VGxBhtF2qezjfn6OJy9e+7C74mAu1AgqZpOsnHoi8rfKVBqJC5tfrmUKzqLsCbl980e9GMQKBgQDoc/9FtuRe+E7oZvm55/4bWagd5UYCd9jVL7U5npVGCpdNBYMFNdfcOeCKEi9lMFfPaXfzxYewWXZIIXhxWyzALBuV2+lQTqfE2cKhH1BmdOgEcFAMD0k/IBPJvlt69z26Ufh5xlpl8u77WUfX0D0NiVhVD4PwfpgEagdK6KQ+0wKBgQC2KQmriY7dZxl7/mGi1IjcSFSiJJ6cWAfLbnXhPTLAPsbbi/sUjGrBZlvjUSh7gZwspHCxc83sz3PU4zf2DEhprag5jnPd1eL/vDQwZsSNMmY04PEco9LEDb25yKArSweVQFdCot5pXEsoEgkg/XKNSfUUqoBRYi/9zLrwREwf2QKBgQCC2ils+RN9UpI4yR7yw+GLS+ETUykh4o0xFPYTRW4KS5P4S44BtNmaown/L1V2xMvpehmIJD3Jy9KFsDG4vfZnB21P4sdn6Z8PdPXW9WWxB0ZEmWS2JTS6UDhTbNDaW6tn4xTYmAvzL9nPq+aBWjvEDvimiWFgVCMG+Ri51lP++QKBgG/xykqLr6tqV6P2kWPyvuS44qH+ZSbphmjDSlgQNucj7Ssw3C0lmdmeoOuSjZFQ9nwM1mCHLU7Rsnpq5JIlvD6NhOtSGuyCLA1DSMNR9IpdJahrcGFMYBMx6p2IqL3STyeusbF2y73uBRXr94Y5mzMu9xkrKs5Yy+tp7JwJLMsJAoGAQSoQjWWVQ53q6qZYf3f1aprXIE034vC7BJRcpuCMyeBahMjfe8ZV4IVBEccOCIdKPJDKrxSagCb0QgH1q5MoyLz0O1A5h+9wdGE5a11LXH9qSSpHMZFpCpVITDBmhiEM2bBMDftnE/nv3aUnhIQMJ2JZstK2nrg0uEfcBwyRc4g=-----END PRIVATE KEY-----
- Save the converted private key in a new file.
Google Reference Docs
For more information about the above-listed prerequisites, refer to the following links:
- GCP Organization – https://cloud.google.com/resource-manager/docs/creating-managing-organization
- Admin SDK API – https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites
- Groups Settings API - https://developers.google.com/admin-sdk/groups-settings/prerequisites