Skip to main content
  1. CloudM
  2. Continuity
  3. Administration
  4. Connection Management

Rotating Google Workspace Credentials

Updated

The Google Workspace connection in CloudM Continuity uses token-based authentication via a GCP service account. The CloudM token provider generates access tokens on your behalf — no JSON key files are involved. This article explains how to rotate your service account credentials by switching to a new service account.

Why rotate credentials?

  • Security best practice. Regular rotation limits the window of exposure if a service account is compromised
  • Compliance requirements. Your organisation's security policy may mandate periodic credential rotation
  • Service account compromise. If you suspect a service account has been exposed, rotate immediately

Before you start

  • You need access to the Google Cloud Console with permissions to manage service accounts in the relevant GCP project
  • You need access to the Google Admin console to configure domain-wide delegation
  • You need Super Admin or Admin access in CloudM Continuity

Step-by-step rotation

Step 1: Create a new service account in GCP (or update the existing one)

  1. Go to the Google Cloud Console at console.cloud.google.com
  2. Navigate to IAM & Admin > Service Accounts
  3. Click Create Service Account
  4. Give it a descriptive name (e.g. "CloudM Continuity - Production")
  5. Complete the creation process

Alternatively, if you are updating an existing service account rather than creating a new one, skip to Step 2.

Step 2: Configure domain-wide delegation

  1. In the Google Admin console, go to Security > API controls > Domain wide delegation
  2. Click Add new
  3. Enter the new service account's Client ID (found on the service account details page in GCP)
  4. Add the required OAuth scopes for CloudM Continuity
  5. Click Authorise

Step 3: Grant the Token Creator role to the CloudM token provider

  1. In the Google Cloud Console, go to IAM & Admin > Service Accounts
  2. Click on the new service account
  3. Go to the Permissions tab
  4. Click Grant Access
  5. In the New principals field, enter: coop-tp-sa@coop-production-488013.iam.gserviceaccount.com
  6. For the role, select Service Account Token Creator
  7. Click Save

Why is this role needed?

CloudM Continuity uses token-based authentication. The CloudM token provider service account generates short-lived access tokens on behalf of your service account. The Service Account Token Creator role grants this ability. No JSON key files are downloaded or uploaded at any point.

Step 4: Update the service account email in CloudM Continuity

  1. In CloudM Continuity, go to Connections in the sidebar
  2. Click the three-dot menu on the Destination Connection (Google Workspace)
  3. Select Edit
  4. Update the Service account email to the new service account's email address
  5. Click Save

Step 5: Test the connection

  1. Click the three-dot menu on the Destination Connection
  2. Select Test connection
  3. Confirm that a green toast notification — "Connection test successful" — appears

If the test fails, check that domain-wide delegation is configured correctly and the Token Creator role has been granted to the CloudM token provider on the new service account.

Step 6: Clean up the old service account

  1. Return to the Google Cloud Console and navigate to IAM & Admin > Service Accounts
  2. Click on the old service account
  3. Go to the Permissions tab and remove the Service Account Token Creator role from coop-tp-sa@coop-production-488013.iam.gserviceaccount.com
  4. Optionally, delete the old service account entirely if it is no longer needed
  5. In the Google Admin console, remove the old service account's Client ID from domain-wide delegation

Do not remove the old service account too early

Keep the old service account active until you have updated CloudM Continuity and confirmed the connection test passes with the new service account. This ensures there is no gap in service.

Troubleshooting rotation issues

Issue Solution
Connection test fails after updating the service account email Verify that the Service Account Token Creator role has been granted to coop-tp-sa@coop-production-488013.iam.gserviceaccount.com on the new service account. IAM changes can take a few minutes to propagate.
Domain-wide delegation error Confirm that the new service account's Client ID has been added to domain-wide delegation in the Google Admin console with the correct OAuth scopes.
API not enabled error If the new service account is in a different GCP project, ensure the Gmail API and Admin SDK API are enabled in that project.
Wrong service account email entered Use the three-dot menu on the Destination Connection, select Edit, and correct the service account email. Test the connection again.
Was this article helpful?
0 out of 0 found this helpful