Contents x
    Creating a Google OAuth2 Service Account for ID Hub
    • 08 Aug 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    Contents

    Creating a Google OAuth2 Service Account for ID Hub

    • Updated on 08 Aug 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    Article Summary

    Create a Service Account and Key

    1. Select a created project on your instance of console.cloud.google.com.

    2. Click on the menu button at the top left of the page, select APIs and Services.

    3. Using the search bar at the top search for: Admin SDK.

    4. Select and enable the Admin SDK by clicking the Enable button.

    5. Go back to console.cloud.google.com and ensure your project is still selected.

    6. Click on the menu button at the top left of the page, select APIs and Services, and select Credentials.

    7. Click Create Credentials and select Service account.

    8. Give the service account a name and an account ID. Descriptions are optional.
      4a.jpg

    9. Click Create and Continue.

    10. Skip the Grant this service account access to project section.

    11. Skip the Grant users access to this service account section. By default, the user that creates the service account will be the only one who has access to this service account.

    12. Click Done.

    13. If not redirected, select the menu button in the top left of the page, select APIs & Services, and then select Credentials.

    14. Under Service Accounts, click the pencil icon next to the service account that was created above.

    15. Scroll to the Keys section and click Add Key, then select Create New Key.

    16. Select JSON in the popup window, and click Create.
      12a.jpg

    17. Save the JSON file and store it in a secure area.

    18. Reach out to your implementation manager about how to provide the contents of this file securely.

    Authorizing the Service Account Key

    1. Log in to Google Admin Console as a User with the Super Admin role.
    2. In the Admin console, go to Menu > Security > Access and data control > API controls.
    3. Click Manage Domain Wide Delegation.
    4. Click Add New.
    5. Open the JSON file that was downloaded when you created the Service Account Key. Copy the value of the client_id field (without the quotes) and paste into the Client ID field in the browser.
    6. Enter the scopes you want to grant access to, separated by commas, in the OAuth scopes field and click Authorize. The typical scopes you will need will be:
      a. https://www.googleapis.com/auth/admin.directory.user
      b. https://www.googleapis.com/auth/admin.directory.group
      c. https://www.googleapis.com/auth/admin.directory.orgunit.readonly
      e. A list of available scopes is available at https://developers.google.com/identity/protocols/googlescopes.
    7. Additional scopes may be added later by repeating the previous two steps.
    Was this article helpful?
    What's Next