Skip to main content
  1. CloudM
  2. Migrate
  3. Perform a Migration
  4. Configure your Connections
  5. Connection Setup
  6. Environment Configuration Guides

Setting up the Service Account and enable the APIs within Google Workspace for CloudM Migrate

Updated

This guide provides comprehensive instructions for configuring a Google Workspace account as either a source or a destination platform for your migration project in CloudM Migrate.

You can configure your environment using one of two methods:

  • Automated Method (Recommended): Uses a provided PowerShell script to automatically create projects, service accounts, keys, and enable APIs.
  • Manual Method: A step-by-step walkthrough for manual configuration via the Google Cloud Platform (GCP) console.

Prerequisites

Before beginning, ensure you meet the requirements for your chosen method.

General Requirements (Both Methods)

  • Administrator Access: You must have Super Admin access to the Google Workspace Admin Console.
  • Google Vault: If migrating from Google Vault, billing must be enabled on the Google Cloud Project to avoid export quota limits.

Requirements for Automated Method

  • GCP Permissions: A GCP account with permissions to create projects (e.g., resourcemanager.projects.create) or the Owner role on an existing project.
  • PowerShell: A Windows machine capable of running PowerShell as an Administrator. Note: You may need to run Set-ExecutionPolicy Unrestricted if your system blocks unsigned scripts.
  • Google Cloud SDK: The Google Cloud SDK must be installed and initialized (run gcloud init in your terminal prior to starting).
  • Browser Session: A browser window authenticated into your target GCP tenant must be open and active.

Method 1: Automated Setup (Recommended)

This method utilizes a PowerShell script to create the Service Account, enable necessary APIs, and generate the required keys.

Step 1: Execute the Script

  1. Download: Save the GCP_Configuration.ps1 script to your computer (e.g., your Desktop).
  2. Open PowerShell: Search for "Windows PowerShell" in your start menu, right-click it, and select Run as administrator.
  3. Navigate to Directory: Change the directory to where you saved the script. (Example: cd "C:\Users\AdminUser\Desktop")

  4. Run Script: Execute the following command:

    .\GCP_Configuration.ps1
  5. Follow Prompts: Enter the following details when prompted:
    • Project ID: A unique name for your new GCP Project.
    • Service Account ID: A name for the service account (this can match the Project ID).
    • Scope: Select All for standard migrations.
    • KeyType: Choose P12 or JSON. (Note: While the script may recommend P12, JSON is the modern Google standard and is fully supported by CloudM).

The script will process the request. Once finished, it will output URLs and Client IDs required for the next steps.

Step 2: Configure OAuth Consent

  1. Copy the URL provided by the script output (labeled Step 1) and paste it into your browser.
  2. On the OAuth consent screen, select Internal for User Type and select Create.
  3. Enter an App name (e.g., "CloudM Migrate"), a User Support email, and a Developer Contact email.
  4. Select Save and Continue through the remaining screens.

Step 3: Configure Domain-Wide Delegation

  1. Copy the URL provided by the script output (labeled Step 2) and paste it into your browser. This opens the Domain-wide Delegation page in the Google Workspace Admin Console.
  2. Select Add new.
  3. Copy the Client ID and OAuth Scopes from the PowerShell window output.
  4. Paste them into the corresponding fields in the browser.
  5. Select Authorize.

Step 4: Save Credentials

From the PowerShell output (labeled Step 3), note the following for use in CloudM Migrate:

  • Service Account Email Address
  • Private Key File Location: Typically located at C:\CloudM\GCPConfig (this file must be uploaded to the CloudM Migrate configuration).

Method 2: Manual Setup

Follow these steps if you cannot use the automated script, or prefer to configure your GCP environment manually.

Part 1: Create a Google Cloud Project

  1. Log in to the Google Cloud Console.
  2. Select the project dropdown at the top of the page and select New Project.
  3. Enter a Project Name, confirm the Organization/Location, and select Create.

Part 2: Create Service Account and Key

  1. Navigate to APIs & Services > Credentials.
  2. Select Create Credentials and choose Service account.
  3. Enter a name (e.g., cloudm-migrate-sa) and select Create and Continue.
  4. Important: In the Role field, select Project > Owner. Select Continue, then Done.
  5. On the Credentials list, click on the newly created Service Account email.
  6. Navigate to the Keys tab.
  7. Select Add Key > Create new key.
  8. Choose JSON (Recommended) or P12, and select Create. The key file will download to your computer. Store this safely; you will need to upload it to CloudM Migrate.
  9. Critical: Return to the Service Account Details tab. Copy the Unique ID (Client ID) and the Email address. You will need these for Domain-Wide Delegation.

Part 3: Configure OAuth Consent Screen

  1. In the GCP Console, navigate to APIs & Services > OAuth consent screen.
  2. Select Internal for User Type and select Create.
  3. Enter an App name (e.g., "CloudM Migrate"), select a User Support email, and enter a Developer Contact email.
  4. Select Save and Continue through the remaining screens. You do not need to manually add scopes here.

Part 4: Enable Required APIs

  1. In the GCP Console, go to APIs & Services > Enabled APIs & services.
  2. Select + Enable APIs and Services.
  3. Search for and enable the following APIs individually:
    • Admin SDK API
    • Gmail API
    • Google Calendar API
    • Google Drive API
    • Google People API
    • Tasks API
    • Google Forms API
    • Groups Migration API
    • Conditional: Google Chat API (If migrating Chat or Spaces)
    • Conditional: Google Vault API (If migrating from Vault)

Part 5: Configure Domain-Wide Delegation

  1. Log in to the Google Workspace Admin Console.
  2. Navigate to Security > Access and data control > API controls.
  3. Scroll down to Domain-wide Delegation and select Manage Domain Wide Delegation.
  4. Select Add new.
  5. Client ID: Paste the Unique ID you copied from the Service Account in Part 2.
  6. OAuth Scopes: Paste the required scopes from the reference section below.
  7. Select Authorize.

API Scopes Reference

Copy the comma-separated scopes below based on your specific migration configuration.

Standard / Full Scopes (Default)

Use these scopes for most migrations (when Use Limited Scopes is set to False).

https://www.googleapis.com/auth/admin.directory.resource.calendar,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://mail.google.com/,
https://sites.google.com/feeds/,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/apps.groups.migration,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/email.migration,
https://www.googleapis.com/auth/tasks,
https://www.googleapis.com/auth/forms,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/contacts,
https://www.googleapis.com/auth/contacts.other.readonly,
https://www.googleapis.com/auth/contacts.readonly,
https://www.googleapis.com/auth/directory.readonly,
https://www.googleapis.com/auth/user.addresses.read,
https://www.googleapis.com/auth/user.birthday.read,
https://www.googleapis.com/auth/user.emails.read,
https://www.googleapis.com/auth/user.gender.read,
https://www.googleapis.com/auth/user.organization.read,
https://www.googleapis.com/auth/user.phonenumbers.read,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/userinfo.profile

Limited Scopes (Source Only)

Use only if Use Limited Scopes is set to True for the Source platform.

https://www.googleapis.com/auth/gmail.labels,
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/admin.directory.resource.calendar,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://sites.google.com/feeds/,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/apps.groups.migration,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/email.migration,
https://www.googleapis.com/auth/tasks,
https://www.googleapis.com/auth/forms,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/contacts,
https://www.googleapis.com/auth/contacts.other.readonly,
https://www.googleapis.com/auth/contacts.readonly,
https://www.googleapis.com/auth/directory.readonly,
https://www.googleapis.com/auth/user.addresses.read,
https://www.googleapis.com/auth/user.birthday.read,
https://www.googleapis.com/auth/user.emails.read,
https://www.googleapis.com/auth/user.gender.read,
https://www.googleapis.com/auth/user.organization.read,
https://www.googleapis.com/auth/user.phonenumbers.read,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/userinfo.profile

Google Vault Scopes

If migrating from Vault, append these to the Standard Scopes above:

https://www.googleapis.com/auth/ediscovery,
https://www.googleapis.com/auth/ediscovery.readonly,
https://www.googleapis.com/auth/devstorage.read_write

Google Chat & Spaces Scopes

Use these scopes if migrating Google Chat or Spaces.

https://www.googleapis.com/auth/chat.admin.spaces.readonly,
https://www.googleapis.com/auth/chat.admin.spaces,
https://www.googleapis.com/auth/chat.admin.memberships,
https://www.googleapis.com/auth/chat.bot,
https://www.googleapis.com/auth/chat.spaces,
https://www.googleapis.com/auth/chat.memberships,
https://www.googleapis.com/auth/chat.memberships.app,
https://www.googleapis.com/auth/chat.messages,
https://www.googleapis.com/auth/chat.import,
https://www.googleapis.com/auth/chat.customemojis

Setting up Google Chat Migration (Optional)

For detailed instructions on configuring the Chat API alongside these permissions, please see our dedicated guide: Enable and Configure the Google Chat API.

Important Considerations

  • Propagation Delay: After authorizing scopes, Google may take up to 24 hours to propagate changes globally. If connection tests fail immediately after setup, please wait and retry.
  • Drive SDK Requirement: Ensure the Drive SDK is enabled for your users to allow proper file extraction/insertion.
    • Path: Apps > Google Workspace > Drive and Docs > Features and Applications.
    • Action: Enable Allow users to access Google Drive with the Drive SDK API.
  • Organization Policies: If you are unable to create a Key in GCP during setup, your organization may have a policy actively blocking Service Account Key creation. Please refer to our troubleshooting guide: Service Account Key Creation Disabled.

Related to:

Was this article helpful?
2 out of 3 found this helpful