Google Workspace is a suite of cloud-based productivity and collaboration tools offered by Google, formerly known as G Suite. It includes applications such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, and more.
A Google service account is a special kind of account used by an application, rather than a person. You can use a service account to access data or perform actions by the robot account or to access data on behalf of Google Workspace users. For more information, see understanding service accounts.
This authentication guide will guide you through configuring a service account and corresponding Tines credential for Google Workspace.
Create a Google credential in Tines
There are 3 ways to create your Google credential in Tines:
Google Service Account connect flow (recommended)
This connect flow will guide you through the process of creating your service account and creating a Google credential for you. This is currently not supported for self-hosted tenants. See How to configure the service account in Google for specifics on scopes and roles for your service account with Google workspace.
Navigate to the team that will be using the API and click Credentials
Click + New Credential and select Google Service Account and follow the prompts to connect.
Actions on the storyboard
If you will be impersonating other users at a rapid rate as part of your Tines workflow, it may be preferred to generate this credential as part of the workflow via actions on the storyboard. While you can update the user input in a credential, it may lead to race conditions if you have multiple requests to update the credential at a time. Hence, many users opt to create the token needed in each story run, avoiding race conditions.
Follow the steps to configure a service account in Google
Save the service account email as a resource in Tines:
Save the private key generated as a text credential in Tines:
Navigate to the team that will be using the API and click Credentials
Click + New credential, and select Text
Name the credential
google_svc_key
, select Preserve newline characters and paste the private key from your generated JSON file into the value. This starts with-----BEGIN PRIVATE KEY-----
and ends with-----END PRIVATE KEY-----\n
, select Save.
Import this story to your tenant. This is a Send to Story that generates a token and sends that generated token back to the story that called it. There is a sample action in the storyboard showing how to call the story and then use the generated token in any downstream actions. You can use these sample actions to then generate this token in any of your workflows.
Manual credential creation
This method is not recommended as the Google Service Account connect flow creates this credential with much less complexity. However, if you need to create this credential set manually, see the following steps below:
Step 1: Create the JWT credential
Follow the steps to configure a service account in Google
Click + New credential, and select JWT
Name the credential
google_svc_jwt_token
or a unique name of your preferenceSelect Algorithm RS256.
Understand the payload component of the JWT credential. The fields are described below:
See a sample JWT payload for a Google service account:
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/devstorage.read_only",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}Complete the JWT payload as follows:
iss
: The email address of the service account. This is theclient_email
value in your private JSON key.sub
: The email address of an admin in your domain that has access to manage users and groups. The service account will impersonate this user when performing actions defined in your workflows.scope
: Space-separated list of the scopes authorized for your service account.https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user
aud
: Inserthttps://oauth2.googleapis.com/token
Select the Auto generate ‘iat’ (Issued At) & ‘exp’ (Expiration Time) claims checkbox. Tines will automatically add “iat” and “exp” claims to the payload according to when the credential is used.
Copy and paste the private key from your private key file into the Tines credential. This starts with
-----BEGIN PRIVATE KEY-----
and ends with-----END PRIVATE KEY-----\n
When complete, the credential page should look similar to the below:
Step 2: Create the HTTP Request credential
Once the JWT credential is created, you will reference this credential within another HTTP request credential to get the access token needed for your API requests to Google to work.
Confirm you've completed step 1: Create the JWT credential
Click + New credential, and select HTTP Request
Name the credential
google
or a unique name of your preferenceScroll down and select the button
Edit as JSON
and copy the below payload in:{
"url": "https://oauth2.googleapis.com/token",
"content_type": "form",
"method": "post",
"payload": {
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"assertion": "=CREDENTIAL.google_svc_jwt_token"
}
}Select Done
In the
Domains
field, enter*googleapis.com
to restrict this credential to only being used in requests to that domain.You're not done yet! Select Save for the Credential to save and re-open.
Scroll down and select Run request. This will run the HTTP request and show the results in JSON. If you successfully configured your service account, JWT credential, and HTTP request credential correctly, you will see a 200 status returned.
Copy the path to the access token in the successfully run request and paste the value in the section
Location of token from response
. This will be referenced each time an action is run in your workflows that calls this credential.Select Save
You will now reference this HTTP request credential within your requests to Google on the storyboard. Try the Google Admin Console action templates to test this credential in a story. You will note that the templates reference a key
CREDENTIAL.google
in the authorization headers. If you named your HTTP request credential something different, update this reference for it to run successfully.
Enable the relevant API library for your service account
Go to API Library and select your relevant Google Cloud project in the top left corner.
Search for and enable the Admin SDK API.
Create a service account and a key
Go to Service Accounts in the Google Cloud Console and select a project if prompted
Select Create service account
Enter a name for the new account and select Create and continue
Select the
Service Directory Admin
role and select Continue and then DoneClick to open the newly created service account and select Keys
Select Add key and Create new key
Select JSON and select Create
Your private key (JSON file) will begin downloading to your computer. Keep this file safe; it contains secret information and cannot be downloaded again
Determine the scopes to assign to your service account. Scopes provide a way to limit the amount of access that is granted to an access token or application. For Google Workspace, you can consider the below scopes:
A full list of OAuth 2.0 Scopes for Google APIs is available here.
Authorize the service account
For Tines to access user data in Google Workspace, a Google Workspace administrator needs to authorize the service account created in the prior steps, this is a process known as delegating domain-wide authority.
Select Add new
In the Client ID field, enter the client ID of your service account. This can be found under the
client_id
field in the private key file you downloaded and is typically a long number.In the OAuth scopes (comma-delimited) field enter:
https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.user
Select Authorize
Read about our connect flows here.
For more on creating credentials in Tines, click here.
You can find a selection of Google stories in the Tines story library.