Google - Manual Connection

How to connect your Google Workspace with Village Labs.

Prerequisites

• An account with admin permissions over your Google Workspace

• Google Workspace Business or Enterprise

Google Admin Console

Permissions: Connecting to Google will give Village Labs read-only access only. Village Labs will not be able to write-to or modify your Google Drive or Google Workspace.

Privacy Settings: Village Labs only connects to Google Drive files (Docs, Sheets, Slides) that are shared with your Organization (ie. set to General access > Anyone in this group with the link can view).

Reports will not summarize content that is not shared with the Organization, or is only shared with a subset of people within your Organization.

Generating the credentials

For this integration, you will be creating a service account with limited permissions, able to make read-only queries as a Google Workspace admin on limited scopes.

Village supports two integrations: one for Workspace admin (eg. meet activity), and one for Google Drive activity (docs/sheets/presentations/etc.). Depending on whether you want both or only one of these integrations, the scopes differ slightly.

1. In your Google cloud console, go to the IAM & Admin console. Make sure that you selected the right project. If you don't have any existing GCP project, you may have to create one. Go to the Service Accounts page https://console.cloud.google.com/iam-admin/serviceaccounts

2. Create a new service account.

3. For the "Grant this service account access to the project" step, continue without adding any role: no need to give this account any specific role over your GCP project.

4. For the final "Grant users access to this service account", leave blank. No need to explicitly grant users access to this service account. Click on Done to create the account

5. In the service account list, click on the account you just created to open its details (https://console.cloud.google.com/iam-admin/serviceaccounts/details/{service-acc-id}) Open the Advanced settings section. Note the "Unique ID" that was created for this service account, it will be necessary for the next step.

6. Click on "View Google Workspace Admin console", or go to https://admin.google.com/ Go to Security > Access and data control > API controls. Or, alternatively: https://admin.google.com/ac/owl/domainwidedelegation

7. Click on "Add new API client"

8. Fill in the necessary info:

   1. The Client ID should be the "Unique ID" from the service account that you got from step 5

   2. The following OAuth scopes are required. You may copy paste this directly in the form: [RECOMMENDED] If you want both Drive logs and Meet reports: https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/documents.readonly, https://www.googleapis.com/auth/spreadsheets.readonly

Rare use cases:

Drive logs only: https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/documents.readonly, https://www.googleapis.com/auth/spreadsheets.readonly Meet reports only: https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly

1. Click Authorize once you're done

   The domain-wide delegation should appear in the list
2. Go back to the previous IAM page for your service account (see step 5), go to the keys tab: https://console.cloud.google.com/iam-admin/serviceaccounts/details/{service-acc-id}/keys

3. Create a new key Select Key Type: JSON and create.
4. This will trigger a download of a JSON credentials file, which contains everything necessary for the Village integration.

5. Enable the following APIs by clicking on the links below and then clicking "Enable" (see screenshot

   1. https://console.cloud.google.com/apis/api/admin.googleapis.com/metrics

   2. https://console.cloud.google.com/apis/api/driveactivity.googleapis.com/metrics

   3. https://console.cloud.google.com/apis/api/drive.googleapis.com/metrics

   4. https://console.cloud.google.com/apis/api/sheets.googleapis.com/metrics

   5. https://console.cloud.google.com/apis/library/sheets.googleapis.com

   6. 

List of final information to be shared with Village for final connection:

• credentials_json: The credentials file for the service account created above

• email: The email of the user, who has permissions to access the Google Workspace Admin APIs (likely the email of the user who created the key above). Note that this is not the email of the service account behind the credentials json.

• domain_name: Domain name for your workspace, eg. mycompany.com. This will be used for Directory API streams