Skip to main content
Connect to Google Workspace using a service account with domain-wide delegation
This guide walks you through creating a Google Cloud service account and configuring domain-wide delegation to connect to your Google Workspace organization.

Prerequisites

Before you begin, ensure you have:
  • Google Workspace Super Admin access
  • Google Cloud Platform project access (or ability to create one)
  • Your Google Workspace primary domain

Setup guide

Create service account in Google Cloud

1

Access Google Cloud Console

Navigate to the Google Cloud Console and select or create a project for the integration
2

Enable required APIs

Enable the following APIs in your project:
  • Admin SDK API
  • Cloud Identity API
Navigate to APIs & Services > Library and search for each API to enable them
3

Create service account

  1. Go to IAM & Admin > Service Accounts
  2. Click Create Service Account
  3. Enter a name (e.g., “Google Workspace Integration”)
  4. Click Create and Continue
  5. Skip the optional steps and click Done
4

Create service account key

  1. Click on the newly created service account
  2. Go to the Keys tab
  3. Click Add Key > Create new key
  4. Select JSON format
  5. Click Create - the key file will download automatically
Store this JSON key file securely. You’ll need it to configure the integration.
5

Note the client ID

On the service account details page, copy the Client ID (also called “Unique ID”). You’ll need this for domain-wide delegation.

Configure domain-wide delegation

1

Access Google Workspace Admin Console

Navigate to admin.google.com and sign in with your Super Admin account
2

Navigate to API controls

  1. Go to Security > Access and data control > API controls
  2. Scroll to Domain-wide delegation
  3. Click Manage Domain Wide Delegation
3

Add new API client

  1. Click Add new
  2. Enter the Client ID from your service account
  3. Add the following OAuth scopes (comma-separated):
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.member,
https://www.googleapis.com/auth/cloud-platform
  1. Click Authorize
4

Verify delegation

Confirm the service account appears in the list of authorized API clients with all required scopes

Add integration

1

Navigate to integrations

  1. Go to Settings > Integrations
  2. Find Google Workspace in the Software Access section
2

Select Google Workspace

Click Connect on the Google Workspace integration card
3

Configure service account credentials

Provide the following information from your service account JSON key file:
serviceAccountClientId
string
required
The unique 21-digit client ID for your service account (found in Google Cloud Console)
privateKey
string
required
The private key from your service account JSON key file (PEM format). Download from Google Cloud Console > IAM & Admin > Service Accounts
serviceAccountKeyId
string
required
The key ID for your service account key (found in Google Cloud Console > IAM & Admin > Service Accounts > Keys)
serviceAccountEmail
string
required
The email address from your service account JSON key file (client_email field)
4

Enter workspace details

Provide the following information:
primaryDomain
string
required
Your Google Workspace primary domain (e.g., company.com)
adminEmail
string
required
Email address of a Google Workspace admin user. Required for domain-wide delegation to access user and group data.
This admin must have User Management Admin role or equivalent permissions
5

Complete setup

Click Connect to complete the integration. This will:
  1. Validate the service account credentials
  2. Test API connectivity
  3. Begin initial sync of users, groups, and applications

Troubleshooting

Cause: Service account key is invalid or expired.Solution:
  • Verify the JSON key file is correct and not corrupted
  • Ensure the service account still exists in Google Cloud
  • Create a new key if the current one is expired
Cause: Domain-wide delegation not configured or missing scopesSolution:
  • Verify all required OAuth scopes are authorized in Google Workspace Admin Console
  • Ensure the admin email has User Management Admin role
  • Check that domain-wide delegation is enabled for the service account
Cause: Incorrect domain or domain not accessibleSolution:
  • Verify the domain matches your Google Workspace primary domain
  • Ensure the domain is active and not suspended
  • Check for typos in the domain name
Cause: Required APIs not enabled in Google Cloud projectSolution:
  • Enable Admin SDK API in Google Cloud Console
  • Enable Cloud Identity API in Google Cloud Console
  • Wait a few minutes for API enablement to propagate

Features

Once connected, you can use Google Workspace actions in workflows:

Google Workspace Actions

Manage user group memberships, create groups, check group membership, and reset MFA/passwords
I