Ctrlk

Domain-Wide Delegation

This guide details how to authorize your Service Account to access Google Workspace data by setting up Domain-Wide Delegation (DwD). This process allows the service account to "impersonate" your Admin Email to read users, groups, and devices.

πŸ” Prerequisites

Before starting, ensure you have:

  1. The Client ID: This is the numeric ID of your Service Account (found in the JSON key file or the GCP Console under IAM > Service Accounts).

  2. Super Admin Access: You must be a Super Admin in the Google Admin Console.

Manage Domain Wide Delegation

Step 1: Navigate to API Controls

  1. Log in to the Google Admin Console.

  2. In the left-hand menu, navigate to Security > Access and data control > API controls.

  3. Scroll down to the Domain-wide delegation section at the bottom.

  4. Click MANAGE DOMAIN WIDE DELEGATION.

Step 2: Register the API Client

DWD Add New Button

  1. On the Domain-wide Delegation page, click the Add new button next to the "API clients" list.

  2. A dialog box will appear. Enter the following information:

    • Client ID: Paste the numeric Client ID for your Service Account.

    • OAuth Scopes: Copy and paste the following comma-separated list into the field:

Add a new Client ID and OAuth Scopes

Plaintext

  1. Click Authorize.

πŸ“‹ Authorized Scopes Reference

Once authorized, your Service Account will be able to perform the following functions:

Scope

Application Service

Purpose

admin.directory.user.readonly

GCPUserClientService

Read-only access to user profiles and metadata.

admin.directory.group.readonly

GCPGroupClientService

List organization groups and view their memberships.

cloud-identity.devices.readonly

GCPDeviceClientService

View and inventory managed devices in the organization.

admin.directory.customer.readonly

Core Service

Read organization-level configuration and customer data.

βœ… Verification

  1. Check the list of API Clients to ensure your Client ID appears with the correct scopes.

  2. Return to your application's GCP Configuration page.

  3. Enter the Admin Email (the person being impersonated) and click Test.

  4. If the test passes, the Service Account is successfully authorized to "act as" the admin for these specific read-only tasks.

Domain-Wide Delegation is extremely powerful. Ensure that only the minimum required scopes (listed above) are granted to keep your environment secure.

PreviousConfiguration With Google Cloud PlatformNextHealth Check

Last updated

Was this helpful?