Authorize the service account

To authorize Coveo to access your Google content, you must perform a Google Workspace domain-wide delegation of authority to the service account you created.

Important: Your service account will not have super administrator privileges

There’s sometimes confusion around the process of granting domain-wide delegation of authority to a service account, which you’re about to undertake. Rest assured, this section will clarify the process for you. It’s important to understand that the service account you’re setting up — which your Google Drive source will use to crawl Google Drive content — will not have super administrator privileges.

Super administrator privileges are only required for granting domain-wide delegation of authority to the service account. To ensure security best practices, Google requires that a super administrator account be used to set up domain-wide delegation, reflecting the level of access and control domain-wide delegation provides. As part of the domain-wide delegation setup, you (the signed-in super administrator) will specify the privileges of the service account, by granting it OAuth scopes in the Add a new client ID panel. These scopes, are:

  • Read-only.

  • Strictly limited to the minimum amount of resources required for Coveo to access all user content and permissions it needs.

Without domain-wide delegation, the Google Drive source would only access content directly associated with the service account, which is insufficient for comprehensive indexing and secure, organization-wide search functionality.

Authorize your service account client ID

  1. Access the Google Workspace Admin Console with a super administrator account. Super administrator privileges are required for domain-wide delegation, which you’ll configure later on.

  2. In the main menu, select Apps > Google Workspace > Service status.

    Access the Service Status section | Coveo
  3. In the Services list, ensure that the status for Drive and Docs is set to On for everyone.

  4. In the main menu, select Security > Access and data control > API controls.

    Access the API controls section | Coveo
  5. In the Domain wide delegation pane, click Manage Domain Wide Delegation.

  6. Click Add new.

    Add new client ID for domain-wide delegation | Coveo
  1. In the Add a new client ID panel, configure your new API client.

    1. Enter the Client ID associated with your project’s service account.

      Note

      You can get your project’s client ID from the project’s service account page of the Google Cloud Console.

    2. Copy the list of comma-delimited scopes below and paste it into the OAuth scopes field.

      https://www.googleapis.com/auth/drive.readonly,
      https://www.googleapis.com/auth/userinfo.email,
      https://www.googleapis.com/auth/admin.directory.user.readonly,
      https://www.googleapis.com/auth/admin.directory.group.readonly
    3. Click Authorize. The new client ID appears at the top of the API clients list.

      Authorize client ID and scopes | Coveo