Google Workspace

To connect Google Workspace to vScope, you’ll need a super admin account in Google Workspace. This guide walks you through setting up a Google Cloud project with the permissions needed to allow vScope to inventory your Google Workspace directory.

Once connected, vScope can inventory user accounts, groups, and devices from Google Workspace.

---

Set up a project and service account on Google Cloud Platform

• Log in to Google Cloud Console with your super admin account. Select Resource and click New Project.

• Name your project (e.g., vScope), choose Organization and Location, then click Create.

• In the side menu, go to API & Services > Credentials and click + Create credentials button and select Service account.

• Complete service account details by entering a name and clicking Create and continue.

• Grant permissions by selecting Owner as the role, then click Continue.

Next step is to create a “Key” for your service account that you just registered.

• Generate a key: Navigate back to the Credential overview. Above the section with the service accounts, locate and select the link Manage service accounts

• In the new window, select your service account and navigate to the Keys tab.

• Add Key > Create new key, select JSON format, and click Create. Save this file securely.

Note

You’ll need values from this JSON key file, such as the private key, client_email, and clientID, later in vScope.

---

Configure OAuth and consent screen

• Go back to Credentials in the Google Cloud Console and click Configure Consent Screen.

• Select Internal and click Create. Enter your App name, User support email, and Developer contact information, then click Save and continue.

Note

These fields are required by Google, but do not directly affect Google Workspace inventory in vScope.

---

Enable domain-wide delegation and add API scopes

Note

You must have super admin privileges to access this setting.

1. In your Google Admin console, go to API Controls (Security > Access and data control > API controls), then click Manage Domain-Wide Delegation.

2. Click Add new and enter the client_id from the key file into “Client ID”. Add the following API scopes (separated by commas) under “One or More API Scopes” and click Authorize:

   https://www.googleapis.com/auth/admin.directory.user.readonly,
   https://www.googleapis.com/auth/admin.directory.group.readonly,
   https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
   https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
   https://www.googleapis.com/auth/admin.directory.user.security,
   https://www.googleapis.com/auth/admin.directory.device.mobile.readonly

---

Enable API permissions on Google Cloud

1. In Google Cloud Console, go to APIs & Services > Library and search for Admin SDK.

2. Click on Admin SDK and enable it by clicking Enable.

Note

Allow some time for the service account and API permissions to propagate across Google Workspace. Also make sure you’re in the project you created in the first steps.

Configuration in vScope

• Create a new credential with datasource G Suite.
• Add your Service Account Email (e.g., vscope-serviceaccount@vscopeuser.iam.gserviceaccount.com)
• Add your Service Account User. The same email you used to login into Google Workspace. (e.g., example@domain.com).
• Locate your JSON key file that you saved earlier and paste the private key in the following format:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQ...
-----END PRIVATE KEY-----

Common Errors

Error	What happened?	Suggested action
Error getting access token for service account: 401 Unauthorized	Generated when the API permissions are insufficient.	Ensure that the correct API scopes are set up for vScope in Google Workspace.