6. Get service account JSON keys - NoSubstitute/userDelegationWebApp GitHub Wiki

Here we will create a service account and insert its credentials into secrets.gs.

Go back to the GCP project page and click Service Accounts.

image

You may already have service accounts there, depending on whether you created a new project, or chose to re-use a project. My instructions are for creating everything fresh, but skilled Workspace Cloud admins may choose to do all this in an existing project.

Click CREATE SERVICE ACCOUNT.

image

Again, it's time to fill in the name of your chosen reference. Easiest is probably to stick with using the same reference as you did earlier, userDelegation. However, if you plan on giving several people access to their own userDelegation web app (highly recommended, as that means that each service account's actions will be individually logged!) Oauth log events Then you can create individual service accounts here. In that situation, I recommend you name the service accounts referring to each individual, like userDelegation-jsmith. You have 30 characters max.

image

Click CREATE AND CONTINUE. Click CONTINUE. Click DONE.

You will now be back on the Service Accounts page, with one service account listed. Click it. It will open and let you see some details of it.

Copy the Unique ID to a note, as we will use this in step 7 later.

image

Among the headers you will see the word KEYS. Click it. Then click ADD KEY, and Create new key.

image

Choose to create a JSON key. (P12 keys are more secure, but they are encrypted and harder to use.)

image

The JSON key will automatically be downloaded to your computer. Make sure to keep it in a safe place. Click CLOSE.

image

Open your downloaded JSON file in a text editor. Copy the following values and paste them into the secrets.gs file in the script editor, replacing the ... in each spot.

  1. private_key_id - paste it into the comment on line 12. This value is only for documentation of which service account is used in this script.
  2. private_key - Make sure you copy the right piece of the key.
  3. client_email - This is sort of the username of the service account, with the private_key being the "password".

Save the secrets.gs file.

Remember that this entire step can be re-done for each delegated admin

Then you Deploy unique named versions of the web app, with each admin's secrets.gs saved to their named version.

Next step