---
title: Authorize the service account
slug: '3369'
canonical_url: https://docs.coveo.com/en/3369/
collection: index-content
source_format: adoc
---
# Authorize the service account

To authorize Coveo to access your Google content, you must perform a Google Workspace domain-wide delegation of authority to the [service account you created](https://docs.coveo.com/en/3365/).

## Important: Your service account will _not_ have super administrator privileges

There's sometimes confusion around the process of granting domain-wide delegation of authority to a service account, which you're about to undertake.
Rest assured, this section will clarify the process for you.
It's important to understand that the service account you're setting up — which your Google Drive source will use to crawl Google Drive content — will _not_ have super administrator privileges.

Super administrator privileges are only required for granting domain-wide delegation of authority to the service account.
To ensure security best practices, [Google requires that a super administrator account be used to _set up_ domain-wide delegation](https://support.google.com/a/answer/162106?sjid=15314587957071066350-NC#zippy=%2Cset-up-domain-wide-delegation-for-a-client), reflecting the level of access and control domain-wide delegation provides.
As part of the domain-wide delegation setup, _you_ (the signed-in super administrator) will specify the privileges of the service account, by granting it [OAuth scopes](https://developers.google.com/identity/protocols/oauth2/scopes) in the [**Add a new client ID**](#add-scopes) panel.
These scopes, are:

* Read-only.

* Strictly limited to the minimum amount of resources required for Coveo to access all user content and permissions it needs.

Without domain-wide delegation, the Google Drive source would only access content directly associated with the service account, which is insufficient for comprehensive indexing and secure, organization-wide search functionality.

## Authorize your service account client ID

. Access the [Google Workspace Admin Console](http://admin.google.com/) with a super administrator account.
Super administrator privileges are required for domain-wide delegation, which you'll configure later on.

. In the main menu, select [**Apps** > **Google Workspace** > **Service status**](https://admin.google.com/ac/appslist/core).

![Access the Service Status section | Coveo](https://docs.coveo.com/en/assets/images/index-content/service-status.png)

. In the **Services** list, ensure that the status for **Drive and Docs** is set to **On for everyone**.

. In the main menu, select [**Security** > **Access and data control** > **API controls**](https://admin.google.com/ac/owl).

![Access the API controls section | Coveo](https://docs.coveo.com/en/assets/images/index-content/api-controls.png)

. In the **Domain wide delegation** pane, click [**Manage Domain Wide Delegation**](https://admin.google.com/ac/owl/domainwidedelegation).

. Click **Add new**.

![Add new client ID for domain-wide delegation | Coveo](https://docs.coveo.com/en/assets/images/index-content/add-new-client-id.png)

. In the **Add a new client ID** panel, configure your new API client.

.. Enter the **Client ID** associated with your project's service account.

> **Note**
>
> You can get your project's client ID from the project's service account page of the [Google Cloud Console](https://console.developers.google.com/project).


.. Copy the [list of comma-delimited scopes](#important-your-service-account-will-not-have-super-administrator-privileges) below and paste it into the **OAuth scopes** field.

```
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly
```

.. Click **Authorize**. The new client ID appears at the top of the **API clients** list.

![Authorize client ID and scopes | Coveo](https://docs.coveo.com/en/assets/images/index-content/authorize-client-id-and-scopes.png)

## What's next?

In the [Coveo Administration Console](https://docs.coveo.com/en/183/), [add a Google Drive source](https://docs.coveo.com/en/1531/).