Skip to content

How to Configure and Use a Gmail / Google Workspace (G Suite) Service Account for Sync Activation

 

Gmail / Google Workspace (G Suite) Service Accounts are used for various mail access management tasks, for example to mass-authorize LinkPoint Connect(ME) Sync engine to work with the end users’ Gmail data via LPC Chrome Extension for Gmail.

Within this scenario, a service account configured by the local mail Admin provides a simple way to authorize multiple Gmail boxes for LPC use, so the end users do not need to get their mailboxes authorized manually, and keep it connected every time they change their password. This makes adding new product users easier and allows admins and Managers to ensure that all users get all LinkPoint Connect(ME) features unrolled for them.

Tip

After mass LPC Sync activation via a Gmail service account, you can proceed to mass-deploying the LPC Chrome extensions for the end users; the mass deployment procedure is only available on Windows systems, via MS Active Directory.

 

 

Step 1. Create a Project

1.1. Log in to your Org’s Gmail / Google Workspace (G Suite) Console with a Super administrator credentials at https://console.developers.google.com/

If you haven’t used the Console before, you will first need to agree to the Console’s Terms of Service.

1.2. Click the button Select a project ▾ in the upper left corner of the Console

 

1.3. In the dialog that appears, click New Project

 

1.4. Enter a Project name and click Create. In this example we set the name Gmail Service Account

 

 

Step 2. Enable Gmail API Sets

2.1. Select your Project from the list and click the ENABLE APIS AND SERVICES button

 

2.2. On the API Library page that opens, use the search box to find GMAIL API, click on it and then Enable it on the next page.
Note that enabling the APIs here does not instantly grant the access, it is a prerequisite to add the corresponding permission scopes later

   

 

2.3. In the same manner find and enable two more API sets for the service account: Google Calendar API and People API

 

 

Step 3. Create a Service Account User

3.1. Click the (Navigation menu) icon in the upper left corner of the Console and select IAM & admin > Service accounts in the navigation pane

 

3.2. In the next dialog, click + CREATE SERVICE ACCOUNT

 

3.3. Enter a name to identify the service account and set Service account description to “Allow admins to control which mailboxes get added”, then click CREATE

 

3.4. In the next window, set the value Project > Owner in the field Select a role and click Continue, then click DONE in the next window

 

 

 

3.5. The next step, click the (Menu) icon in the Actions column of the created service account and select Create key

 

3.6. Select JSON format for the key (the default one) and click CREATE

 

3.7. Download the JSON to your hard drive; store the Key file securely, as it unlocks access to your Gmail resources. This file will be used at a later step. Close the download notification and proceed to the next step

 

 

 

Step 4. Enable Gmail / Google Workspace (G Suite) delegation for the domain

4.1. Find the newly created service account in the list, then click Menu next to it under Actions and select Edit

 

4.2. In the Service account’s window:

  • Copy the Unique ID of the created service account to a text file or the clipboard to be used later

  • Then click the button SHOW DOMAIN-WIDE DELEGATION to expand the block

 

  • Select the checkbox for Enable Google Workspace (G Suite) Domain-wide Delegation and enter Connect(ME) in the field “Product name for the consent screen”

  - Finally, click Save in the bottom left corner of the pane to apply the changes

 

 

Step 5. Enable the Service Account in Gmail

5.1. Log in to Gmail and open the Admin panel; you will need to scroll down under the More section to find it.

 

5.2. On the Admin panel, click the Security icon.

 

5.3. Scroll down and click Advanced Settings

   

5.4. In the “API controls” window that opens, click MANAGE THIRD-PARTY APP ACCESS

 

5.5. In the “App access control” window that opens, click Configure new app and select OAuth App Name Or Client ID in the picklist

 

5.6. Now you need to find the OAuth app to connect it. Enter the Unique ID, a digits only line that you copied on the Step 4.2, not the alphanumeric Key ID, into the Search for app name or client ID field and click SEARCH

Tip

If you didn’t copy the Unique ID, it can be retrieved in the following way: click (Menu) in the upper left corner of the Console window. Then select IAM & admin and click Service accounts. Once there, find the service account and click Edit in the Actions column menu, then copy the contents of the Unique ID field from the account parameters page.

 

 

5.7. If everything was configured correctly, you will see Connect(ME) (or another app name that you entered) in the results. Click SELECT on the right hand side

 

5.8. The next step: select the checkbox next to the unique ID, then click SELECT in the bottom right corner of the dialog

 

5.9. In the next dialog, set App access to Trusted: Can access all Google services and click CONFIGURE

 

5.10. Next, you will see the list of configured API apps, including Connect(ME) (or another app name you specified). Right-click on its App ID (an alphanumeric value with a dash ending with .apps.googleusercontent.com) and copy it

 

 

Step 6. Set Up Domain Delegation

6.1. Go back to Gmail Admin Console’s Security tab (see the step 5.2.), then scroll down to API Permissions

 

6.2. Click MANAGE DOMAIN-WIDE DELEGATION

 

6.3. In the pane “Domain-wide delegation”, click Add new API client

 

6.4. In the dialog “Add a new client ID” that appears:

  • enter the App Client ID that you copied at step 5.10
  • populate the OAuth scopes field with the following comma-separated values:
https://www.googleapis.com/auth/gmail.readonly  
https://www.google.com/m8/feeds/  
https://www.googleapis.com/auth/calendar  
https://www.googleapis.com/auth/drive  
https://www.googleapis.com/auth/drive.appdata  
https://www.googleapis.com/auth/gmail.labels  
https://www.googleapis.com/auth/gmail.modify  
https://www.googleapis.com/auth/tasks  
https://www.googleapis.com/auth/userinfo.email  
https://www.googleapis.com/auth/gmail.compose

 

 

  • Click AUTHORISE

 

6.3. Hold up for 5 minutes for the configuration to be applied

Now you are all set up to use the Gmail Service Account for end users authorization.

 

 

Step 7. Use the configured service account to authorize users in LPC Admin panel

After you create a Gmail service account you must authorize the users in LinkPoint Connect(ME) Admin panel.

To do that:
7.1. Login to the Admin panel with admin credentials provided by LPC Support team

7.2. Click on the ORGANIZATIONS tab and select your Org

7.3. Open the E-MAIL CONFIGURATION subtab

 

7.4. Click Choose File next to Upload JSON file, select the Private key .json file you generated at point ( 3.7 ) of the above instruction, then click Upload

7.5. Click Save in the upper right corner of the subtab and then click Check Users’ Google Impersonated Access to make sure that the procedure was successful

   


Get back to us
We would love to hear from you

Name:

E-mail:

Question or comment: