Skip to main content

Granting Akooda Full Access to Google Workspace via a Service Account

Akooda avatar
Written by Akooda
Updated this week

By default, Akooda can only access Google Workspace resources that are explicitly shared with the integration account. If you prefer broader access, you can grant Akooda permissions to all Google Workspace resources by creating a service account with the necessary scopes.

Important: Even with extended access, Akooda never bypasses user permissions. End users will only be able to retrieve data they are authorized to access.

Before We Begin

  1. Make sure your Akooda integration account on Google has a Super Admin access, and that you are performing all the following steps using this account.

  2. Ensure that the Google Cloud project you will use to create the service account has the necessary permissions to access Google Drive and Calendar. To do this, confirm that the following APIs are enabled in the project:

Setup Guide

Create a Service Account

  1. In the Google Cloud Console, navigate to IAM & Admin → Service Accounts.

  2. Click Create Service Account.

  3. Enter a descriptive name (e.g., akooda-google-integration), then click Create and Continue.

  4. Note the Service Account ID — you'll need it for a later step.

Enable Domain-Wide Delegation

  1. With a Super Admin user, head to the Google Admin.

  2. Navigate to Security → Access and data control → API Controls.

  3. Under Domain Wide Delegation, click Manage Domain-Wide Delegation.

  4. In the API Clients section, click Add New.

  5. Enter the Client ID of the service account you just created.

  6. You will now provide the service account with access scopes. These are all read only, and are the minimal scopes needed for Akooda to access the necessary data across Google Workspace.
    Provide the following read-only scopes (copy and paste as-is):

    https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/calendar.events.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/spreadsheets.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/drive.readonly

  7. Click Authorize to grant access.

Assign Roles to the Service Account

  1. Return to the IAM & Admin → IAM page in the Google Cloud Console.

  2. Click Grant Access.

  3. Under Add principles, enter the service account email.

  4. Assign the following roles:

    1. Cloud Build Token Accessor

    2. Service Account Token Creator

  5. Click Save.

Create a Service Account Key

  1. Go back to the Service Accounts page.

  2. Locate the account you created and click on it.

  3. Open the Keys tab.

  4. Click Add Key → Create new key.

  5. Choose JSON as the key type and download the key file.

Share the Key with Akooda

  1. head to https://app.akooda.co/settings/apps.

  2. Locate Google Drive and click on Reconnect.

  3. On the bottom of the pop up, you will find a button to upload the key.

Any Feedback?

Was this page helpful? Provide feedback on this article and ways we can improve to [email protected].

Related Articles
Ingestion API Guide
Did this answer your question?