Creating Google service account credentials - HubSpot/python-app-google-groups GitHub Wiki

Google Groups uses a domain service account to manage groups through API calls.

Steps

Getting the Oauth 2 credentials

Note that the account you use to create the project will own the project. You might want to create a separate account in your domain for the app itself. Alternatively, if you already have a Google project then you can create a service account within it.

1. Log in as the service user to gmail
2. Navigate to the service console and create a project. Name it similar to the app.
3. Make sure the project is now selected up beside the google API logo, then go to credentials -> manage service accounts -> Create service account
4. Set the name the same as the AD name. Skip adding permissions
5. On the final page click “Create Key”, select JSON format. Click Create, then Done
   1. The downloaded file contains all your credentials. Keep it safe!
   2. Record the Client ID
6. In Library, enable Admin SDK and Groups Settings API

Add the necessary access to the Google Domain

You will need to be a Google domain administrator to do this.

1. Go to admin.google.com -> Admin Roles
2. In Group Admins, add the service’s account
3. Go to Security -> API Controls -> Domain Wide Delegation
4. Create a new entry. Paste the client ID, and add the following values in scopes:

https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/apps.groups.settings

Filling in the app config

The ZIP you downloaded from the Google Project service account page will contain a JSON file with a number of fields you need to copy into your Google Groups App config.json. Take each field from the example config and replace it with the corresponding value from the ZIP.

Note that the scopes field will be unchanged - this is the same across all deployments of the app and is not credentials specific.