Authorize the service account
Authorize the service account
To authorize Coveo to access your Google content, you must perform a Google Workspace domain-wide delegation of authority to the service account you created.
Important: Your service account will not have super administrator privileges
There’s sometimes confusion around the process of granting domain-wide delegation of authority to a service account, which you’re about to undertake. Rest assured, this section will clarify the process for you. It’s important to understand that the service account you’re setting up — which your Google Drive source will use to crawl Google Drive content — will not have super administrator privileges.
Super administrator privileges are only required for granting domain-wide delegation of authority to the service account. To ensure security best practices, Google requires that a super administrator account be used to set up domain-wide delegation, reflecting the level of access and control domain-wide delegation provides. As part of the domain-wide delegation setup, you (the signed-in super administrator) will specify the privileges of the service account, by granting it OAuth scopes in the Add a new client ID panel. These scopes, are:
-
Read-only.
-
Strictly limited to the minimum amount of resources required for Coveo to access all user content and permissions it needs.
Without domain-wide delegation, the Google Drive source would only access content directly associated with the service account, which is insufficient for comprehensive indexing and secure, organization-wide search functionality.
Authorize your service account client ID
-
Access the Google Workspace Admin Console with a super administrator account. Super administrator privileges are required for domain-wide delegation, which you’ll configure later on.
-
In the main menu, select Apps > Google Workspace > Service status.
-
In the Services list, ensure that the status for Drive and Docs is set to On for everyone.
-
In the main menu, select Security > Access and data control > API controls.
-
In the Domain wide delegation pane, click Manage Domain Wide Delegation.
-
Click Add new.
-
In the Add a new client ID panel, configure your new API client.
-
Enter the Client ID associated with your project’s service account.
NoteYou can get your project’s client ID from the project’s service account page of the Google Cloud Console.
-
Copy the list of comma-delimited scopes below and paste it into the OAuth scopes field.
https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly
-
Click Authorize. The new client ID appears at the top of the API clients list.
-