Skip to main content
  1. CloudM
  2. Backup
  3. Prerequisites

CloudM Backup: Provide a Google Cloud service account with domain-wide delegation

Updated

To connect a storage bucket and apply Backup policies to users or Shared Drives, you must configure a Google Cloud Platform (GCP) Service Account with domain-wide delegation.

Before You Begin

Existing CloudM Archive Users

If you have already configured CloudM Archive with a Domain-Wide Delegated Service Account, you do not need to create a new Service Account.

You can reuse the existing account by following Step 2: Option B to enable additional required APIs and Scopes.

Note: After updating scopes, navigate to Settings Domain Settings in CloudM and click Verify on the Service Account.

1. Enable APIs for the Google Cloud Project

You must enable specific APIs to allow CloudM to access the Google Workspace environment.

  1. Log in to the Google Cloud Platform (GCP) Console.
  2. Navigate to APIs & Services Credentials.
  3. Select the relevant Service Account to open its details.
  4. Copy the Unique ID (Client ID) and store it securely. This is required for the Google Workspace Admin Console configuration.
  5. Navigate to APIs & Services Dashboard.
  6. Click ENABLE APIS AND SERVICES.
  7. Search for and enable the Admin SDK API.
  8. Enable the following additional required APIs:
    • Gmail API
    • Google Drive API
    • Drive Activity API
    • Google Calendar API
    • Google Forms API
    • Google People API
    • Google Chat API

2. Set up Domain-Wide Delegation

Authorize the Service Account in the Google Workspace Admin Console using the Client ID copied in Step 1.

Refer to Google's official guide for specific navigation instructions.

Select the relevant configuration scenario to copy the required OAuth Scopes:

Option A: New Setup (Full Scope List)

For initial setups, copy the full list below into the OAuth Scopes field.

https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.activity.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/gmail.labels,
https://www.googleapis.com/auth/gmail.modify,
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/contacts,
https://www.googleapis.com/auth/chat.spaces,
https://www.googleapis.com/auth/chat.memberships,
https://www.googleapis.com/auth/chat.messages,
https://www.googleapis.com/auth/chat.messages.reactions,
https://www.googleapis.com/auth/chat.customemojis,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.group
Option B: Existing Archive Users (Add Missing Scopes)

Append the following scopes to your existing Client ID configuration in the Google Admin Console:

https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.activity.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/gmail.labels,
https://www.googleapis.com/auth/gmail.modify,
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/contacts

3. Set up the Google Chat App

To back up Chat messages, you must configure the Chat API details within the GCP project.

  1. In the GCP Project used for the Service Account, search for Google Chat API.
  2. Click Manage and select the Configuration tab.

  3. Critical Configuration:

    Ensure the checkbox "Build this Chat app as a Workspace add-on" is DESELECTED (unticked).

    Warning: If this option is enabled and saved, the project configuration cannot be reverted. You must create a new GCP Project and repeat the Service Account setup to resolve this issue.

  4. Enter the following application details:
Field Requirement
App name CloudM Chat App
Avatar URL A publicly accessible HTTPS URL for an image (e.g., company logo).
Description CloudM Chat App

Click Save.

4. Obtain the Service Account Key File

  1. Navigate to IAM & Admin Service Accounts in the GCP Console.
  2. Select the Service Account configured in Step 2.
  3. Select the Keys tab.
  4. Click Add Key Create New Key.
  5. Select JSON and click Create.
  6. The JSON key file will download. Store this file securely.

5. Upload the JSON Key to CloudM

  1. Log in to the CloudM platform.
  2. Navigate to Settings Domain Settings.
  3. Locate the Domain-wide Delegation Service Account section.
  4. Click Choose File.
  5. Select the JSON Key file downloaded in Step 4.
  6. Click Save.

Setup Complete

Backup policies can now be applied to users and Shared Drives.

Note on Propagation: GCP changes, including key creation and scope assignment, may take up to 2 hours to propagate. If validation fails, wait for this period before re-attempting.

Was this article helpful?
0 out of 0 found this helpful