Creating a Google OAuth2 Service Account for ID Hub

Create a Service Account and Key

1. Go to the Google Cloud Console console.cloud.google.com.

2. Select or Create a Project

   • In the top navigation bar, click the project dropdown.
   • Select an existing project or click "New Project" to create a new one.
     • If creating a new project, enter the project name and organization, then click "Create"

3. Open the IAM & Admin Page

   • In the left-hand navidation menu, go to:
     • IAM & Admin > Service Accounts
     • or, us this direct link: https://console.cloud.google.com/iam-admin/serviceaccounts

4. Click "Create Service Account"

   • At the top of the Service Account page, click "+CREATE SERVICE ACCOUNT".

5. Enter Service Account Details

   • Service account name: (e.g. rapididentity-account)
   • Service Account ID: Auto-fills based on name (your can modify it)
   • Description: (Optional) add a description for clairity.
   • Click "Create and Continue"

6. Assign Roles (Permissions)

   • Select one or more roles that define what this account can access.
   • Click "Continue"

7. Skip the Grant this service account access to project section.

8. Skip the Grant users access to this service account section. By default, the user that creates the service account will be the only one who has access to this service account.

9. Click Done.

10. If not redirected, select the menu button in the top left of the page, select APIs & Services, and then select Credentials.

11. Under Service Accounts, click the pencil icon next to the service account that was created above.

12. Scroll to the Keys section and click Add Key, then select Create New Key.

13. Select JSON in the popup window, and click Create.
    

14. Save the JSON file and store it in a secure area.

15. Reach out to your implementation manager about how to provide the contents of this file securely.

Authorizing the Service Account Key

1. Log in to Google Admin Console as a User with the Super Admin role.
2. In the Admin console, go to Menu > Security > Access and data control > API controls.
3. Click Manage Domain Wide Delegation.
4. Click Add New.
5. Open the JSON file that was downloaded when you created the Service Account Key. Copy the value of the client_id field (without the quotes) and paste into the Client ID field in the browser.
6. Enter the scopes you want to grant access to, separated by commas, in the OAuth scopes field and click Authorize. The typical scopes you will need will be:
   a. https://www.googleapis.com/auth/admin.directory.user
   b. https://www.googleapis.com/auth/admin.directory.group
   c. https://www.googleapis.com/auth/admin.directory.orgunit.readonly
   e. A list of available scopes is available at https://developers.google.com/identity/protocols/googlescopes.
7. Additional scopes may be added later by repeating the previous two steps.