You must set up a domain-wide delegated service account to connect your storage bucket and apply your Backup policies to users or Shared Drives. Providing a domain-wide delegated service account prevents API quota limitations.
1. Enable APIs for the Google Cloud project connected to the service account.
1. In GCP Navigate to the APIs & Services > Credentials screen.
2. In the list of Service accounts, open the service account. Click the copy icon to take a note of the Unique ID. This Client ID will need to be added to Google Workspace later.
3. Navigate to the APIs & Services > Dashboard page.
4. Click ‘ENABLE APIS AND SERVICES’.
5. In the ‘Search for APIs & Services’ search box, enter ‘Admin SDK’.
6. Click on Admin SDK API
7. Click ENABLE.
8. The Admin SDK API overview page is now shown. Click ‘APIs & Services’ to navigate back to the main APIs & Services page.
9. Repeat steps 1-8 to enable each of the required APIs:
- Gmail API
- Google Drive API
- Drive Activity API
- Google Calendar API
- Google Forms API
2. Set up Google Workspace Domain-Wide Delegation for a service account.
For instructions on how to set up domain-wide delegation for your service account please follow Google's comprehensive guide available here.
When providing scopes for the OAuth Scopes field, all of the scopes below must be included or else the process will fail.
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.activity.readonly,
https://www.googleapis.com/auth/gmail.labels,
https://www.googleapis.com/auth/gmail.modify,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/gmail.readonly
3. Obtain the Service Account Key File
- Go to https://console.cloud.google.com/
- To create the Service Account Key File, go to IAM & Admin > Service Accounts from the left menu
-
Locate the service account to which you have just applied Domain-wide Delegation.
- Select the Keys tab.
- Select Add Key > Create New Key > JSON
The JSON key will download to your local machine.
4. Upload the JSON Key to CloudM
- Log in to CloudM.
- Navigate to Settings and then Domain Settings
- Under Domain-wide Delegation Service Account select Choose File
- Select your recently downloaded JSON Key file and select Open
- Click Save
You will now be able to successfully apply Backup policies to users and Shared Drives.