Skip to main content
All CollectionsHow-tosArticlesAuthentication guides
Google Workspace Service Account Authentication Guide
Google Workspace Service Account Authentication Guide

How to authenticate Google for use with Tines using JWT

Updated over a week ago

Google Workspace is a suite of cloud-based productivity and collaboration tools offered by Google, formerly known as G Suite. It includes applications such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, and more.

A Google service account is a special kind of account used by an application, rather than a person. You can use a service account to access data or perform actions by the robot account or to access data on behalf of Google Workspace users. For more information, see understanding service accounts.

This authentication guide will guide you through configuring a service account and corresponding Tines credential for Google Workspace.

Create a Google credential in Tines

There are 3 ways to create your Google credential in Tines:

  1. Google Service Account connect flow (recommended)

    This connect flow will guide you through the process of creating your service account and creating a Google credential for you. This is currently not supported for self-hosted tenants. See How to configure the service account in Google for specifics on scopes and roles for your service account with Google workspace.

    1. Navigate to the team that will be using the API and click Credentials

    2. Click + New Credential and select Google Service Account and follow the prompts to connect.

  2. Actions on the storyboard

    If you will be impersonating other users at a rapid rate as part of your Tines workflow, it may be preferred to generate this credential as part of the workflow via actions on the storyboard. While you can update the user input in a credential, it may lead to race conditions if you have multiple requests to update the credential at a time. Hence, many users opt to create the token needed in each story run, avoiding race conditions.

    1. Save the service account email as a resource in Tines:

      1. Navigate to the team that will be using the API and click Resources

      2. Click + New resource, name it google_svc_account_email, and paste the service account email into the builder of the resource, select Save resource.

    2. Save the private key generated as a text credential in Tines:

      1. Navigate to the team that will be using the API and click Credentials

      2. Click + New credential, and select Text

      3. Name the credential google_svc_key, select Preserve newline characters and paste the private key from your generated JSON file into the value. This starts with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----\n, select Save.

    1. Import this story to your tenant. This is a Send to Story that generates a token and sends that generated token back to the story that called it. There is a sample action in the storyboard showing how to call the story and then use the generated token in any downstream actions. You can use these sample actions to then generate this token in any of your workflows.

  3. Manual credential creation

    This method is not recommended as the Google Service Account connect flow creates this credential with much less complexity. However, if you need to create this credential set manually, see the following steps below:

    Step 1: Create the JWT credential

    1. Click + New credential, and select JWT

    2. Name the credential google_svc_jwt_token or a unique name of your preference

    3. Select Algorithm RS256.

    4. Understand the payload component of the JWT credential. The fields are described below:

      See a sample JWT payload for a Google service account:

      {
      "iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
      "scope": "https://www.googleapis.com/auth/devstorage.read_only",
      "aud": "https://oauth2.googleapis.com/token",
      "exp": 1328554385,
      "iat": 1328550785
      }

    5. Complete the JWT payload as follows:

      1. iss: The email address of the service account. This is the client_email value in your private JSON key.

      2. sub: The email address of an admin in your domain that has access to manage users and groups. The service account will impersonate this user when performing actions defined in your workflows.

      3. scope: Space-separated list of the scopes authorized for your service account.

        https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user
      4. aud: Insert https://oauth2.googleapis.com/token

    6. Select the Auto generate ‘iat’ (Issued At) & ‘exp’ (Expiration Time) claims checkbox. Tines will automatically add “iat” and “exp” claims to the payload according to when the credential is used.

    7. Copy and paste the private key from your private key file into the Tines credential. This starts with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----\n

    8. When complete, the credential page should look similar to the below:

    Step 2: Create the HTTP Request credential

    Once the JWT credential is created, you will reference this credential within another HTTP request credential to get the access token needed for your API requests to Google to work.

    1. Confirm you've completed step 1: Create the JWT credential

    2. Click + New credential, and select HTTP Request

    3. Name the credential google or a unique name of your preference

    4. Scroll down and select the button Edit as JSON and copy the below payload in:

      {
      "url": "https://oauth2.googleapis.com/token",
      "content_type": "form",
      "method": "post",
      "payload": {
      "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
      "assertion": "=CREDENTIAL.google_svc_jwt_token"
      }
      }
    5. Select Done

    6. In the Domains field, enter *googleapis.com to restrict this credential to only being used in requests to that domain.

    7. You're not done yet! Select Save for the Credential to save and re-open.

    8. Scroll down and select Run request. This will run the HTTP request and show the results in JSON. If you successfully configured your service account, JWT credential, and HTTP request credential correctly, you will see a 200 status returned.

    9. Copy the path to the access token in the successfully run request and paste the value in the section Location of token from response. This will be referenced each time an action is run in your workflows that calls this credential.

    10. Select Save

    11. You will now reference this HTTP request credential within your requests to Google on the storyboard. Try the Google Admin Console action templates to test this credential in a story. You will note that the templates reference a key CREDENTIAL.google in the authorization headers. If you named your HTTP request credential something different, update this reference for it to run successfully.

  1. Enable the relevant API library for your service account

    • Go to API Library and select your relevant Google Cloud project in the top left corner.

    • Search for and enable the Admin SDK API.

  2. Create a service account and a key

    • Go to Service Accounts in the Google Cloud Console and select a project if prompted

    • Select Create service account

    • Enter a name for the new account and select Create and continue

    • Select the Service Directory Admin role and select Continue and then Done

    • Click to open the newly created service account and select Keys

    • Select Add key and Create new key

    • Select JSON and select Create

    • Your private key (JSON file) will begin downloading to your computer. Keep this file safe; it contains secret information and cannot be downloaded again

  3. Determine the scopes to assign to your service account. Scopes provide a way to limit the amount of access that is granted to an access token or application. For Google Workspace, you can consider the below scopes:

  4. Authorize the service account

    For Tines to access user data in Google Workspace, a Google Workspace administrator needs to authorize the service account created in the prior steps, this is a process known as delegating domain-wide authority.

    • Select Add new

    • In the Client ID field, enter the client ID of your service account. This can be found under the client_id field in the private key file you downloaded and is typically a long number.

    • In the OAuth scopes (comma-delimited) field enter:

      https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user
    • Select Authorize

Read about our connect flows here.

For more on creating credentials in Tines, click here.
You can find a selection of Google stories in the Tines story library.

Did this answer your question?