How to Create a Service Account for Google Workspace

25 September 13, 2024

To enable Google Admin Pro (the Zendesk app) to perform administrative actions on your Google Workspace users, such as password resets and group management, you’ll need to create a Service Account in Google Workspace. Follow the steps below to configure a service account specifically for Google Admin Pro.

Prerequisites:

  • Administrative access to your Google Workspace account is required to complete this process.
  • It’s recommended to review Google Workspace best practices for managing service accounts.

Our guide follows the principle of least privilege (PoLP), ensuring that Google Admin Pro is granted only the permissions necessary to perform specific actions on your users and groups. This approach enhances security by limiting exposure to sensitive data and functions.

Step 1 – Create a Google Cloud Project
  1. Log in to the Google Cloud Console using your Google Workspace administrator account.
  2. Click on the Create Project button to open the project creation form.
  3. Choose a project name (e.g., google-admin-pro-zd). You can choose any name that works for your organization.
  4. Once complete, click Create.
  5. After the project is successfully created, navigate to the Notifications panel and click Select Project to access your new project’s settings homepage.
Setting up Google Cloud Project

Step 2 – Enable the Google Admin SDK API
  • On the Project page, scroll down to the Getting Started section and click on Explore and enable APIs.
  • Select Enable APIs and Services at the top of the page.In the search bar, type Admin SDK API and select it from the search results.
  • Click Activate to enable the Admin SDK API for your project.

Step 3 – Setup OAuth Consent Screen
  • From the left-hand menu, select OAuth consent screen.Under User Type, choose Internal and click Create.
  • On the next page, complete the following fields:
    • App Name: Enter a name for your app (e.g., google-admin-pro-zd).
    • User Support Email: Select your organization’s admin from the drop-down menu.
    • Developer Contact Information: Provide an email address, preferably someone from your IT support team.

Step 4- Create Service Account
  • From the left-hand menu, click on Credentials.Under the Service Accounts section, select Manage Service Accounts.
  • Click Create Service Account and fill in the following details:
    • Service Account Name: Enter a name for your app (e.g., google-admin-pro-zd).
    • Service Account ID: This field will be automatically generated by Google.
    • Service Account Description: Add a brief description to inform admins of the purpose of this service account.
  • Click Create and Continue.
  • On the next screen, assign the Editor role.
  • Click Continue, and then click Done to finalize the setup.

Step 5 – Create and download service account credentials
  • Under the Actions column of your service account, click the three-dot (⋮) button and select Manage Keys.
  • Click the Add Key button and choose Create New Key.
  • Select JSON as the Key Type, and click Create.

Step 6 – Create Admin Role in Google Workspace

  • Log in to the Google Workspace Admin Console and use the search bar to find and select Admin Roles.
  • Under Roles, click Create New Role and provide a name and description for the role. This can be customized to suit your organization’s naming conventions.
  • In the Admin API Privileges section, assign the following privileges:
    • User: Read, Update
    • Group: Read, Update
    • Organization Unit: Read
    • User Security Management
  • Review the selected privileges to ensure all are correctly applied for a smooth integration.
  • Once verified, click Create Role to finalize.

Step 7 – Assign Service Account to Admin Role
  • Now that you’ve created an admin role, we need to assign the service account to this role, giving it the necessary privileges to perform tasks on your users through the app.
    • On the Admin Roles page, locate the role you just created.
    • Select Assign service accounts.
    • Go back to the Google Cloud Console, copy the service account email address that was generated earlier.
    • Paste the service account email into the designated field on the Admin Roles page, then click Add.
  • Finally, click Assign Role to complete the process.

Step 8 – Finalize the Zendesk app setup!
  • With the .json service account credentials downloaded, open it using a text editor and copy its contents. You will need to paste this information, along with the domain of your Google Workspace account, during the app’s setup process.
  • Once completed, your app should now be fully functional.
  • If you encounter any issues or have questions, please feel free to contact us at support@saasaid.com.