Skip to main content

Google Workspace Integration Setup

This guide walks you through setting up a Google Workspace identity integration with RAD Security, allowing you to sync users, groups, and organizational data from Google Workspace. The setup process involves:
  1. Creating a service account in Google Cloud Console
  2. Configuring domain-wide delegation
  3. Downloading and extracting service account credentials
  4. Configuring the integration in RAD Security

Prerequisites

Before you begin, ensure you have:

Required Permissions

The Google Workspace account used for domain-wide delegation must have the following permissions:
  • Manage customer > Read customer
  • Manage customer > Read customer > Read customer branding settings
  • Manage customer > Read customer > Read customer contact info
  • Manage customer > Read customer > Read customer onboard settings
  • Manage customer > Read customer > Read customer profile settings
  • Manage customer > Read customer > Read customer support settings
  • Manage customer > Read customer > Read customer timezone settings
  • Groups
  • Groups > Create
  • Groups > Delete
  • Groups > Read
  • Groups > Update
  • Users > Create
  • Users > Delete
  • Users > Read
  • Users > Update
  • Users > Update > Add/Remove Aliases
  • Users > Update > Force Password Change
  • Users > Update > Move Users
  • Users > Update > Rename Users
  • Users > Update > Reset Password
  • Users > Update > Suspend Users
  • Organization Units > Read

Step 1: Create Service Account and Configure Domain-Wide Delegation

1

Access Google Cloud Console

Navigate to the Google Cloud Console and select or create a project.
2

Enable Admin SDK API

The Cloud Console project will need to have access to the Admin SDK API. If you are using an existing project and need to enable access to the Admin SDK API, you can use this page to do so.
  1. Go to APIs & Services > Library
  2. Search for “Admin SDK API”
  3. Click Enable
3

Create Service Account and Set Up Domain-Wide Delegation

Follow this Google guide to set up the service account and configure domain-wide delegation in Google Workspace.
This guide covers both creating the service account in Google Cloud Console and setting up domain-wide delegation in Google Workspace Admin Console.
4

Add OAuth Scopes

When configuring domain-wide delegation, you’ll need to add OAuth scopes. Use the following comma-separated list:
https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly
  • cloud-platform - Access to Google Cloud Platform resources
  • admin.directory.group - Manage groups in your domain
  • admin.directory.user - Manage users in your domain
  • admin.directory.rolemanagement - View and manage role assignments
  • admin.directory.user.security - Manage user security settings
  • admin.reports.audit.readonly - View audit reports

Step 2: Download Service Account Credentials

In the Google Cloud Console, navigate to IAM & Admin > Service Accounts, then select the service account you created in Step 1.
1

Open Keys Tab

Click on the Keys tab for your service account
2

Create New Key

  1. Click Add Key
  2. Select Create new key
  3. Choose JSON format
  4. Click Create
This will create the key and download it automatically.
Protect this key file, as it allows access to your Google Workspace account via delegation. Store it securely and never commit it to version control.

Step 3: Extract Service Account Credentials

Make a note of the following fields from the downloaded key file: client_id, private_key, token_uri, and client_email. Consider the following example key file: 
{
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "client_email": "EXAMPLE@EXAMPLE.iam.gserviceaccount.com",
  "client_id": "1234567890",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/EXAMPLE%40EXAMPLE.iam.gserviceaccount.com",
  "private_key": "-----BEGIN PRIVATE KEY-----\\nKEY MATERIAL HERE-----END PRIVATE KEY-----\\n",
  "private_key_id": "1234567890",
  "project_id": "example-project-id",
  "token_uri": "https://oauth2.googleapis.com/token",
  "type": "service_account",
  "universe_domain": "googleapis.com"
}
In this example:
  • client_id is 1234567890
  • private_key is -----BEGIN PRIVATE KEY-----\\nKEY MATERIAL HERE-----END PRIVATE KEY-----\\n
  • token_uri is https://oauth2.googleapis.com/token
  • client_email is EXAMPLE@EXAMPLE.iam.gserviceaccount.com
Copy the private key exactly as it appears in the JSON file. This includes the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- markers, as well as the \n characters (shown as \\n in the JSON). Do not modify or reformat the key.

Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Google Workspace integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Client EmailThe client_email value from Step 3EXAMPLE@EXAMPLE.iam.gserviceaccount.com
Client IDThe client_id value from Step 31234567890
Client SecretThe private_key value from Step 3 (copy entire value including BEGIN/END markers)-----BEGIN PRIVATE KEY-----\\n...
DelegateEmail address of the Google Workspace admin user you’re delegating access toadmin@yourcompany.com
Important: When copying the client_secret (private key), copy the entire value exactly as it appears in the JSON file, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- markers, as well as the \n characters.
The delegate field should be the email address of a Google Workspace user with the admin permissions listed in the Prerequisites section.

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Integrations in your RAD Security workspace
  2. Locate your Google Workspace integration
  3. Check the connection status shows as Active
  4. Verify users and groups are syncing correctly
Your Google Workspace integration is now configured! RAD Security can now sync users, groups, and organizational data from your Google Workspace domain.

Troubleshooting

  • Verify all credentials are copied exactly, including the complete private key
  • Ensure the delegate email address is correct and has admin permissions
  • Check that the service account has domain-wide delegation enabled
  • Confirm the OAuth scopes were entered correctly
  • Review the permissions on the delegate user account
  • Ensure all required OAuth scopes are granted in domain-wide delegation
  • Verify the Admin SDK API is enabled in your Google Cloud project
  • Check that the delegate user has read access to users and groups
  • Verify the appropriate OAuth scopes are configured
  • Review the integration logs in RAD Security for specific errors
  • Ensure the private key includes the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- markers
  • Copy the entire value including \n characters
  • Don’t modify or reformat the key - use it exactly as it appears in the JSON file

Security Best Practices

Rotate Keys Regularly

Periodically create new service account keys and delete old ones to minimize security risks.

Principle of Least Privilege

Only grant the minimum permissions required for your use case. Disable unused permissions.

Monitor Access

Regularly review audit logs to monitor service account activity and detect anomalies.

Secure Key Storage

Never commit keys to version control. Use secure secret management systems.

Next Steps

Identity & Access Overview

Learn about other identity integration options

User Management

Configure RBAC and manage users in your workspace