Articles in this section

Setting up the Service Account and enable the APIs within Google Workspace for CloudM Migrate

  • Updated
Follow

This setup is for both a source Google Workspace account and a Destination Google Workspace account. 

 

Migrating from Google Vault

If you are migrating from Google Vault, billing must be enabled for the Google project being used for the migration. This is necessary to avoid very low Google Vault export quota limits. 

 

 

Powershell Method

This method uses a Powershell script to automate the majority of the process, making sure that the correct Scopes and APIs are applied, with only a few simple manual steps required.

It is easier and quicker than the full manual process, and less prone to error.

 

To create a service account and obtain the private key for the account:

  1. Install Google Cloud SDK using the instructions provided by Google here,
  2. Once Google Cloud SDK has finished installing, download the GCP_Configuration.ps1 file (attached) to your desktop,
  3. Click on your Desktop Search icon (next to the Start Icon) and search for Windows Powershell
  4. Select Run as Administrator
  5. On the GCP_Configuration.ps1 file, select Shift and right click. Select Copy as Path.
  6. In the Windows Powershell window, enter CD and a space, then click the up button on your keyboard until you see the first half of the file path and select enter. It will look similar to: 
    • CD C:\Users\(your name)\Desktop
  1. On the next line, click the up button on your keyboard until you see & ‘.\GCP_Configuration.ps1 and press enter.
  2. On the Project ID line, enter a unique Project ID name.
  3. On the Service Account ID, enter a Service Account name. It can be the same as the Project ID name.
  4. On the Scope line, enter one of the following to specify the scopes to be assigned:
    • All (for Full scopes)
    • Standard
    • SourceLimited
    • DestinationLimited
    • Vault
    • Storage

Service_Powershell_1.png

  1. The Powershell script will run, setting up the service account and enabling the scopes. This may take a few minutes to complete.
  2. Once the Powershell has finished, you will need to manually complete a few easy steps to complete the OAuth and Domain Wide Delegation configuration, with instructions and URLs displayed.
  3. For step 1 - Configure OAuth Consent, copy the displayed URL and paste into a browser. Sign in to GCP with a full admin account. 
  4. On the OAuth consent screen, set the User Type to Internal and select Create.
  5. On the next screen, set the App name to CloudM Migrate, and add a User Support email and a Developer Contact email address.
  6. Select Save and Continue.
  7. For Step 2 - Service Account Domain Wide Delegation, copy the displayed URL in the Powershell window and paste into a browser.
  8. On the Service Accounts screen, click on the down arrow before SHOW DOMAIN-WIDE DELEGATION, check the Enable G Suite domain-wide delegation checkbox and select Save.
  9. For Step 3 - Configure Google Workspace Domain Wide Delegation using the following ClientId and Scopes, copy the displayed URL in the Powershell window and paste into a browser.
  10. On the Security > API Controls > Domain-wide Delegation screen, select Add new to display the Add a new client ID pop-up box.
  11. Copy and paste the Client ID and OAuth Scopes from the Powershell window into the specified fields and select AUTHORIZE.
  12. Now, in Step 4 - Service Account details for use in CloudM Migrate, copy the Service account email address that you need later when configuring the platform in CloudM Migrate.
  13. The P12 file that you will also need when configuring the platform in CloudM Migrate can be found in C:\CloudM\GCPConfig, along with a gcp_config log for the process.

 

Manual Method

To create a service account and obtain the private key for the account

  1. Go to cloud.google.com/console
  2. Click the project selection menu in the blue navigation bar (1).
  3. Next to ‘Select from’ ensure the correct domain you are creating the service account for is selected (2).
  4. Click ‘NEW PROJECT’ (3).

1_-_Selecting_from_domain.PNG

  1. Enter a project name (1).
  2. Ensure the correct organization is selected (2).
  3. The location can be left as the default or changed at your discretion (3).
  4. Click CREATE (4).

2_-_Create_new_Project.png

  1. Click on the 'hamburger' menu icon next to "Google Cloud Platform" in the top left of the page (1).
  2. Click 'APIs & Services' (2), then 'Credentials' (3).

3_-_API_and_Credentials.png

  1.  Click CREATE CREDENTIALS (1), then select 'Service account' (2).

4_-_Create_Credentials.png

  1.  Enter a service account name (1).
  2. Click ‘CREATE’ (2).

5_-_Create_Credentials_2.png

  1. In the ‘Select a role’ menu (1), click ‘Project’ (2), then select ‘Owner’ (3).

6_-_Select_a_Role.png

  1. Click CONTINUE (1).

7_-_Select_a_Role_2.png

  1. Click DONE.

8_-_Select_a_Role_3.png

  1. Click CONFIGURE CONSENT SCREEN (1).

9_-_Configure_Consent_Screen.png

  1. Select ‘Internal’, then click ‘CREATE’.

10_-_Internal_Create.png

  1. Enter an application name (1) and enter a Support email and a Developer Contact Email.

11_-_Enter_app_name.png

  1. Click SAVE

12_-_Enter_app_name_save.png

  1. Navigate back to the ‘Credentials’ page (1).

13_-_Credentials_page.png

  1. Click the edit button (pencil icon) on the service account that was created (1).

14_-_Cred_page_edit.png

  1. Expand the ‘SHOW/HIDE DOMAIN WIDE DELEGATION’ dropdown (1) and check the ‘Enable G Suite Domain-wide Delegation’ checkbox to enable it (2).
  2. Click the ‘ADD KEY’ dropdown (3), then click ‘Create new key’ (4).

15_-_Domain_wide_delegation.png

  1. Select ‘P12’ (1), then click ‘CREATE’ (2) - this will download the private P12 key file to be imported into CloudM Migrate.

16_-_P12_Create.png

  1. Close the ‘Private key password’ screen (1) as this is not needed.

17_-_Private_Key_Password.png

  1. Click ‘SAVE’ (1).

18_-_Save.png

  1. Notice the Oauth 2.0 Client ID has now appeared. Click the copy icon (1) to take a note of the client ID. This will need to be added to Google Workspace later.
  2. Take a note of the Service Account Email (2). This will need to be added to CloudM Migrate later.
  3. Navigate to the DASHBOARD page (3).

19_-_Oauth_2.0_Client_ID.png

  1. Click ‘ENABLE APIS AND SERVICES’ (1).

20_-_Enable_APIs.png

  1. In the ‘Search for APIs & Services’ search box, enter ‘Admin SDK’.

31_-_Admin_SDK.png

  1. Click Admin SDK (1)

31a_-_Admin_SDK.png

  1. Click ENABLE (1).

32_-_Admin_SDK_API_Enable.png

  1. The Admin SDK overview page is now shown. Click ‘APIs & Services’ (1) to navigate back to the main APIs & Services page.

22_-_Click_API_and_service.png

  1.  Repeat steps 30-34 to enable each of the required APIs:
    • Admin SDK
    • Google Drive API
    • Gmail API
    • Google Calendar API
    • People API
    • Tasks API
    • Groups Migration API
    • G Suite Vault API (if you are migrating from Google Vault).
    • Cloud Storage (if you are Migrating from Google Storage).
  2. If migrating Google Drive, open the Google Workspace Admin console and navigate to Apps > Google Workspace > Drive and Docs > Features and Applications and enable 'Allow users to access Google Drive with the Drive SDK API':

Drive_SDK.png

  1. Open the Google Workspace admin console and navigate to ‘Security > API Controls > Domain-wide Delegation’ (1). Here is a direct link: https://admin.google.com/ac/owl/domainwidedelegation?hl=en
  2. Click ‘Add new’ (2) then enter the Client ID from step 28 (3), the relevant OAuth scopes listed at the bottom of this page (4) then click ‘AUTHORIZE’ (5). 

23_-_Oath_scope.png

  1.  Launch CloudM Migrate and navigate to either the ‘Source Platform’ or ‘Destination Platform’ page depending on what is being configured (1).
  2.  Enter the Google Workspace tenant's primary domain name (2).
  3.  Enter a super admin account email address (3).
  4.  Enter the service account email address noted in step 29 (4).
  5.  Upload the P12 certificate downloaded in step 25 (5).

24_-_Uplaod_P12.png

  1. Click ‘Next’ to test API access (note: G Suite API access may take up to 60 minutes to propagate from the time it was granted).

 

If 'Use Limited Scopes' is going to be set as 'False' (default) in the Migration Settings section for the platform in CloudM Migrate, use the full scopes listed here:

  • https://www.googleapis.com/auth/admin.directory.resource.calendar,
  • https://www.googleapis.com/auth/gmail.settings.sharing,
  • https://mail.google.com/,
  • https://sites.google.com/feeds/,
  • https://www.googleapis.com/auth/admin.directory.group,
  • https://www.googleapis.com/auth/admin.directory.user,
  • https://www.googleapis.com/auth/apps.groups.migration,
  • https://www.googleapis.com/auth/calendar,
  • https://www.googleapis.com/auth/drive,
  • https://www.googleapis.com/auth/drive.appdata,
  • https://www.googleapis.com/auth/email.migration,
  • https://www.googleapis.com/auth/tasks,
  • https://www.googleapis.com/auth/gmail.settings.basic,
  • https://www.googleapis.com/auth/contacts,
  • https://www.googleapis.com/auth/contacts.other.readonly,
  • https://www.googleapis.com/auth/contacts.readonly,
  • https://www.googleapis.com/auth/directory.readonly,
  • https://www.googleapis.com/auth/user.addresses.read,
  • https://www.googleapis.com/auth/user.birthday.read,
  • https://www.googleapis.com/auth/user.emails.read,
  • https://www.googleapis.com/auth/user.gender.read,
  • https://www.googleapis.com/auth/user.organization.read,
  • https://www.googleapis.com/auth/user.phonenumbers.read,
  • https://www.googleapis.com/auth/userinfo.email,
  • https://www.googleapis.com/auth/userinfo.profile

 

If 'Source Platform Migration Settings > Google Workspace > Email Options > Use Limited Scopes' is set to 'True', use the following scopes:

  • https://www.googleapis.com/auth/gmail.labels,
  • https://www.googleapis.com/auth/gmail.readonly,
  • https://www.googleapis.com/auth/admin.directory.resource.calendar,
  • https://www.googleapis.com/auth/gmail.settings.sharing,
  • https://sites.google.com/feeds/,
  • https://www.googleapis.com/auth/admin.directory.group,
  • https://www.googleapis.com/auth/admin.directory.user,
  • https://www.googleapis.com/auth/apps.groups.migration,
  • https://www.googleapis.com/auth/calendar,
  • https://www.googleapis.com/auth/drive,
  • https://www.googleapis.com/auth/drive.appdata,
  • https://www.googleapis.com/auth/email.migration,
  • https://www.googleapis.com/auth/tasks,
  • https://www.googleapis.com/auth/gmail.settings.basic,
  • https://www.googleapis.com/auth/contacts,
  • https://www.googleapis.com/auth/contacts.other.readonly,
  • https://www.googleapis.com/auth/contacts.readonly,
  • https://www.googleapis.com/auth/directory.readonly,
  • https://www.googleapis.com/auth/user.addresses.read,
  • https://www.googleapis.com/auth/user.birthday.read,
  • https://www.googleapis.com/auth/user.emails.read,
  • https://www.googleapis.com/auth/user.gender.read,
  • https://www.googleapis.com/auth/user.organization.read,
  • https://www.googleapis.com/auth/user.phonenumbers.read,
  • https://www.googleapis.com/auth/userinfo.email,
  • https://www.googleapis.com/auth/userinfo.profile
  •  

 

If 'Destination Platform Migration Settings > Google Workspace > Email Options > Use Limited Scopes' is set to 'True', use the following scopes:

  • https://www.googleapis.com/auth/gmail.labels,
  • https://www.googleapis.com/auth/gmail.insert,
  • https://www.googleapis.com/auth/admin.directory.resource.calendar,
  • https://www.googleapis.com/auth/gmail.settings.sharing,
  • https://sites.google.com/feeds/,
  • https://www.googleapis.com/auth/admin.directory.group,
  • https://www.googleapis.com/auth/admin.directory.user,
  • https://www.googleapis.com/auth/apps.groups.migration,
  • https://www.googleapis.com/auth/calendar,
  • https://www.googleapis.com/auth/drive,
  • https://www.googleapis.com/auth/drive.appdata,
  • https://www.googleapis.com/auth/email.migration,
  • https://www.googleapis.com/auth/tasks,
  • https://www.googleapis.com/auth/gmail.settings.basic,
  • https://www.googleapis.com/auth/contacts,
  • https://www.googleapis.com/auth/contacts.other.readonly,
  • https://www.googleapis.com/auth/contacts.readonly,
  • https://www.googleapis.com/auth/directory.readonly,
  • https://www.googleapis.com/auth/user.addresses.read,
  • https://www.googleapis.com/auth/user.birthday.read,
  • https://www.googleapis.com/auth/user.emails.read,
  • https://www.googleapis.com/auth/user.gender.read,
  • https://www.googleapis.com/auth/user.organization.read,
  • https://www.googleapis.com/auth/user.phonenumbers.read,
  • https://www.googleapis.com/auth/userinfo.email,
  • https://www.googleapis.com/auth/userinfo.profile

 

Migrating from Google Vault?

If you are migrating from Google Vault, use these API Scopes:

  • https://www.googleapis.com/auth/admin.directory.resource.calendar,
  • https://www.googleapis.com/auth/gmail.settings.sharing,
  • https://mail.google.com/,
  • https://sites.google.com/feeds/,
  • https://www.googleapis.com/auth/admin.directory.group,
  • https://www.googleapis.com/auth/admin.directory.user,
  • https://www.googleapis.com/auth/apps.groups.migration,
  • https://www.googleapis.com/auth/calendar,
  • https://www.googleapis.com/auth/drive,
  • https://www.googleapis.com/auth/drive.appdata,
  • https://www.googleapis.com/auth/email.migration,
  • https://www.googleapis.com/auth/tasks,
  • https://www.googleapis.com/auth/gmail.settings.basic,
  • https://www.googleapis.com/auth/ediscovery,
  • https://www.googleapis.com/auth/ediscovery.readonly,
  • https://www.googleapis.com/auth/devstorage.read_write,
  • https://www.googleapis.com/auth/contacts,
  • https://www.googleapis.com/auth/contacts.other.readonly,
  • https://www.googleapis.com/auth/contacts.readonly,
  • https://www.googleapis.com/auth/directory.readonly,
  • https://www.googleapis.com/auth/user.addresses.read,
  • https://www.googleapis.com/auth/user.birthday.read,
  • https://www.googleapis.com/auth/user.emails.read,
  • https://www.googleapis.com/auth/user.gender.read,
  • https://www.googleapis.com/auth/user.organization.read,
  • https://www.googleapis.com/auth/user.phonenumbers.read,
  • https://www.googleapis.com/auth/userinfo.email,
  • https://www.googleapis.com/auth/userinfo.profile

 

Service Account and Scopes Propagation Time

Similarly with the Service account and APIs, adding the Client and Scopes in the Google Workspace console may be subject to a propagation time of up-to two hours.

Check Connections for your Google Workspace platform in CloudM Migrate may not be successful immediately.

 

Comments

0 comments

Please sign in to leave a comment.