In order to migrate data to or from Google Workspace, it is necessary to configure the tenant to provide the necessary permissions. This document describes the creation of a key that will be used by Migrate to access your Google Workspace data.
Authentication and Permissions to Access Google Workspace
A Service Account needs to be created with the correct scopes for the data access and an associated P12 or JSON key. This account is entered in the endpoint configuration, and the P12 or JSON key file is uploaded into CloudM Migrate.
The whole process can be performed via a PowerShell script or by following the Manual Process.
Install the Google Cloud SDK
- Download and install the Google Cloud CLI.
- Run PowerShell as Administrator and initialize the Google Cloud SDK with
- Enter 1 to choose
Re-initialize this configuration [default] with new settings
- Enter 2 to choose
Log in with a new accountand log in with a Super Admin account.
- Select Allow to give the SDK permissions to access the Super Admin account. The website will close and return to the PowerShell instance.
- Enter Y to create a new project.
- Enter a Project Name between 6-30 in all lowercase letters.
Create the Key
- Right-click and save the GCP Configuration script to a working directory.
- Execute the script in PowerShell as Administrator.
- You’ll be prompted to enter a Project ID which is the Project Name created previously.
- You’ll be prompted to enter a Service Account ID, which is a new account that will be created and used in GCP. The Service Account ID must between 6-30 in all lowercase letters.
- You’ll be prompted to enter the Scope; choose one of the following:
- All - Recommended for Google to Google
- Standard (default)
- You’ll be prompted for the key type; enter P12 or JSON.
- You’ll be prompted to continue the process by navigating to a URL to Configure OAuth Consent. Do not close PowerShell.
- On the OAuth consent page, set the User Type to Internal and select Create.
- Set the App name to CloudM Migrate, and add a User Support email and a Developer Contact email address.
- Navigate to Security > API Controls > Domain-wide Delegation page, and select Add New.
- The PowerShell script will output the ClientID and OAuth Scopes to copy and paste in the Add New dialog.
- Select Authorize.
- You can now add the Service Account email to CloudM Migrate.
- The P12 or JSON Access key will be located under C:\CloudM\GCPConfig and can be uploaded into CloudM Migrate.