If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to create a JSON file in G Suite that would allow the SkyFormation for Google G-Suite Connector to communicate with a G-Suite account and retrieve its audit events.
This guide is relevant only if you have decided to use the "service-account" authentication method type in your SkyFormation for Google G-Suite Connector. In case you want to use the "OAuth2" method you should skip this guide.
To follow the steps in this guide you should be a G-Suite administrator.
See the full guide below played out in video:
1. Go to the Google Developers Console and sign in as a super administrator.
2. Create a new project by doing one of the following:
- If you haven't used the Developers Console before, agree to the Google Cloud Platform Terms of Service. Then, click Create a project.
- At the top of the screen next to your most recent project name, click the Down arrow to open your projects list. Then, click Create to create a new project.
- Enter a project name and
3. Enable the Admin SDK API
Each project uses its own set of APIs.
For the SkyFormation for Google G-Suite Connector connector to be able to use the
"service-account" authentication method you should enable the Admin SDK API to the just
Go to the API search by click on the ENABLE APIS AND SERVICES in the project context
In the search field put "Admin SDK API"
Now click on ENABLE button
3. Create the service account
- In the top-left corner of the console, click Menu .
- Click IAM & Admin Service accounts.
- Click Create service account and in the Service account name field, enter a name for the service account.
- Check the Furnish a new private key box and ensure the key type is set to JSON.
- Check the Enable Domain-wide Delegation box and enter a name in the Product name for the consent screen field.
- Click Create. You'll see a message that the service account JSON file has been downloaded to your computer.
Make sure to send this file in a secure and private way to the SkyFormation
administrator for the SkyFormation G Suite connector onboarding final step.
- Click Close.
- In the Options column, click the View Client ID link for the service account you have just created.
- Copy the Client ID value. You will need this later.
4. Set the needed API permission scope
- Open the admin console
- go to Security -> Advanced settings -> Manage API client access
- In the upper raw, in the Client Name field, enter:
(1) Under Client Name insert the Client ID saved at the previous steps
(you could also see it in the JSON file created under client_id key)
(2) Under the One or More API Scopes field enter the below API scopes
(copy and paste to keep the comma separation in place)
For SkyFormation to only read events:
You should see a screen similar to the below:
To use the service account we are required to have a Domain-Wide Delegation of Authority
Since we need this delegation of authority to read reports admin activity, the user, whose authority is being used, must have the admin privileges to view admin report activity and read user and groups information.
Please note that the service account is still bounded by the permissions granted to him thus cannot perform any action other than "read" on the specified scopes