Skip to main content
  1. CloudM
  2. Continuity
  3. Getting Started
  4. Setting Up

Connecting Google Workspace

Updated

Getting Started › Setting Up

Connecting Google Workspace

To sync data into Google Workspace, CloudM Continuity needs the ability to create users and write mail data to your Google Workspace domain. This is done by creating a GCP service account with domain-wide delegation.

Who should do this?

You will need:

  • Owner or Editor role on the GCP project (to create service accounts, enable APIs, and grant IAM roles)
  • Super Admin access to your Google Workspace Admin console (to configure domain-wide delegation)

The service account itself does not need any project-level IAM roles. It only requires domain-wide delegation (configured in the Google Admin console) and the Token Creator grant from CloudM's service account.

If you don't have this access, ask your IT admin to complete these steps.

Overview

The process involves six steps:

  1. Create or select a GCP project
  2. Create a service account
  3. Enable the required APIs
  4. Configure domain-wide delegation in the Google Admin console
  5. Grant CloudM token access to your service account
  6. Enter your service account email in CloudM Continuity

Step 1: Create or select a GCP project

  1. Go to the Google Cloud Console at console.cloud.google.com
  2. Select an existing project or create a new one:
    • Click the project dropdown at the top of the page
    • Click New Project
    • Enter a project name (e.g. CloudM Continuity)
    • Click Create
  3. Make sure the new project is selected in the project dropdown

Step 2: Create a service account

  1. In the GCP Console, navigate to IAM & Admin > Service Accounts
  2. Click Create Service Account
  3. Fill in the details:
    • Service account name: e.g. cloudm-continuity
    • Service account description: e.g. Service account for CloudM Continuity sync
  4. Click Create and Continue
  5. Skip the optional "Grant this service account access" and "Grant users access" steps — click Done

Note the following from the service account details page — you will need both later:

Field Where to find it
Service account email Shown on the Service Accounts list and detail page (e.g. cloudm-continuity@your-project.iam.gserviceaccount.com)
Unique ID (Client ID) Shown on the service account detail page (numeric ID)

No key download required

You do not need to generate or download a JSON key file. CloudM Continuity uses a token-based approach where our service account requests short-lived tokens on behalf of your service account. This is more secure than managing key files.

Step 3: Enable required APIs

In the GCP Console, enable the following APIs for your project:

  1. Navigate to APIs & Services > Library
  2. Search for and enable each of the following:
API Purpose
Gmail API Read and write mail data in Google Workspace
Admin SDK API Create and manage user accounts in Google Workspace

For each API, click Enable on its detail page. If it's already enabled, you'll see a Manage button instead.

Step 4: Configure domain-wide delegation

Domain-wide delegation allows the service account to act on behalf of users in your Google Workspace domain. This is configured in the Google Admin console.

  1. Sign in to the Google Admin console at admin.google.com
  2. Navigate to Security > Access and data control > API controls
  3. Scroll down to Domain wide delegation and click Manage Domain Wide Delegation
  4. Click Add new
  5. Enter the following:
    • Client ID: The service account's Unique ID (numeric ID from the GCP service account details)
    • OAuth Scopes: Enter the following scopes, comma-separated:
OAuth Scope Purpose
https://mail.google.com/ Full access to Gmail (read, write, send)
https://www.googleapis.com/auth/gmail.modify Modify Gmail mailbox data (labels, message state)
https://www.googleapis.com/auth/admin.directory.user Manage users in Google Workspace
https://www.googleapis.com/auth/admin.directory.domain.readonly Read domain information from the Admin Directory
  1. Click Authorise

Delegation can take time

Domain-wide delegation changes can take up to 24 hours to propagate across Google's infrastructure, though they typically take effect within minutes. If validation fails immediately after setup, wait and try again.

Step 5: Grant CloudM token access to your service account

CloudM Continuity uses a token provider service to request short-lived access tokens on behalf of your service account. For this to work, you need to grant the CloudM token provider service account the Service Account Token Creator role on your service account.

  1. In the GCP Console, navigate to IAM & Admin > Service Accounts
  2. Click on the service account you created in Step 2
  3. Go to the Principles with access tab
  4. Click Grant Access

  5. In the New principals field, enter the CloudM token provider service account:

    coop-tp-sa@coop-production-488013.iam.gserviceaccount.com
  6. In the Role dropdown, search for and select Service Account Token Creator
  7. Click Save

Why is this needed?

This role allows CloudM's token provider to generate short-lived access tokens for your service account without needing a downloaded key file. Tokens expire automatically, reducing the security risk compared to long-lived key files.

Only grant Token Creator, nothing else

The Service Account Token Creator role is the only role required. Do not grant broader roles such as Owner or Editor to the CloudM service account.

Step 6: Enter credentials in CloudM Continuity

  1. In CloudM Continuity, go to Connections in the sidebar
  2. On the Destination Connection card, click Create destination
  3. Fill in the connection details:
    • Domain — Your Google Workspace domain (e.g. company.com)
    • Admin email — A Super Admin email address in your Google Workspace domain
    • Service account — The service account email from Step 2 (e.g. cloudm-continuity@your-project.iam.gserviceaccount.com)
  4. Click Create destination
  5. Once the connection is created, click the three-dot menu on the Destination Connection card and select Test connection
  6. A green toast notification confirms "Connection test successful" if everything is configured correctly

Test connection fails?

If the test fails, check that: the service account has domain-wide delegation configured (Step 4), the CloudM token provider has Token Creator access (Step 5), all required APIs are enabled (Step 3), and the admin email is a valid Super Admin in your domain. You can update credentials at any time by clicking the three-dot menu and selecting Edit.

Security considerations

  • You own the service account. The GCP project and service account are created in your own environment. CloudM does not have access to your GCP console or Admin console.
  • Principle of least privilege. Only the scopes listed above are required. Do not add broader scopes. The CloudM token provider service account should only have the Service Account Token Creator role.
  • No key files to manage. CloudM Continuity uses short-lived tokens instead of downloaded key files. Tokens are generated on demand and expire automatically, reducing the risk of credential leakage.
  • Audit access. All service account activity is logged in your GCP audit logs and the Google Admin console audit log. You can review token creation events in the GCP IAM audit log.
Was this article helpful?
0 out of 0 found this helpful