Ensure that your Google Workspace account has Admin or Owner privileges.

If you’ve been directed to StackOne to integrate with Google Workspace, the following steps will help you understand the process and any necessary actions to configure a successful integration.

Log in to Google Workspace

Log in to your Google Workspace Admin at https://admin.google.com/login

Log in

Get your Google Workspace Domain

Each connection will be associated with a single Google Workspace domain. If you wish to connect multiple domains, create a connection for each domain.

1

Navigate to Domains List

In the left navigation menu, click Account > Domains > Manage domains

Navigate to Domains List
2

Copy Your Domain

Copy the Domain you wish to connect from the displayed list. Store this to be used in later steps.

Copy Your Domain

Enable the Admin SDK API

Google requires manually enabling APIs for your account. The Admin SDK API provides the underlying endpoints for this IAM connection.

1

Go to Your Google Cloud Console

Go to your Google Cloud Console at https://console.cloud.google.com/

Navigate to the Google Cloud Console
2

Navigate to the API Library

In the left navigation menu, click APIs & Services > Library

Navigate to the API Library
3

Locate the Admin SDK API

Using the search bar, enter a search for “admin sdk”. Click the Admin SDK API result.

Locate the Admin SDK API
4

Enable the Admin SDK API

Click the Enable button to enable the Admin SDK API for your organization.

Enable the Admin SDK API

Create New OAuth Client Credentials

This connection will authenticate on behalf of a registered OAuth Client in Google Workspace.

1

Navigate to Admin SDK API Credentials

In the Admin SDK API Manage page, scroll down to click Credentials.

Navigate to Admin SDK API Credentials
2

Create New OAuth Client ID

Under Credentials, click Create Credentials > OAuth client ID

Create New OAuth Client ID
3

Enter Application Details

Under Create OAuth client ID, enter the following details:

  • Application type: Web application
  • Name: Enter a name for the new application
  • Authorized redirect URIs: https://api.stackone.com/connect/oauth2/googleworkspace_iam/callback

Then click the Create button at the bottom to proceed.

Enter Application Details
Enter Redirect URI
4

Copy Application Credentials

The new application’s Client ID and Client Secret will be displayed. Copy these values and store them securely to be used in the next step.

Copy Application Credentials

Google requires configuring a consent screen to be displayed when granting application access to your account.

1

Go to OAuth Consent Screen Setup

After enabling the Admin SDK API, click APIs & Services > OAuth consent screen in the left navigation menu.

Go to OAuth Consent Screen Setup
2

Select User Type

Under User Type select Internal, then click the Create button.

Select User Type
3

Enter Application Information

Under Edit app registration, enter the following required details:

App information

  • App name: Enter a name for the new application
  • User support email: Your Google Workspace account email

Authorized domains

  • Authorized domain 1: Enter the Domain you copied in a previous step. Example: my-org.com

Developer contact information

  • Email addresses: Your Google Workspace account email

Then click the Save and Continue button to proceed.

Enter Application Information
4

Select Required Application Scopes

Click the Add or Remove Scopes button, and a popout window will appear on the right titled Update selected scopes.

Add Scopes Button

Enable the following scopes which are required for full functionality of this integration:

  • https://www.googleapis.com/auth/admin.directory.group.readonly
  • https://www.googleapis.com/auth/admin.directory.group.member.readonly
  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/admin.directory.orgunit.readonly
  • https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

You can copy and paste each scope into the Filter bar to quickly locate them.

Select Scopes

Once all five scopes have been enabled, click the Update button to proceed.

Update Scopes Button
5

Complete Scope Selection

Confirm that each of the required scopes is listed under Your sensitive scopes.

Then click the Save and Continue button to proceed.

Complete Scope Selection

Connecting with StackOne

1

Enter Credentials

Upon reaching the Link Account page, enter the credentials from the previous steps:

  • Domain
  • Client ID
  • Client Secret
  • Scopes - If you selected only the required scopes in the previous steps, leave the default value for this field. Otherwise, enter the space-separated list of scopes granted to your application.

Proceed by clicking the Connect button.

Enter Credentials
2

Grant OAuth Application Consent

A window will appear and may prompt you to log in to your Google Workspace account.

After logging in, you will be displayed the OAuth consent screen you configured in a previous step.

Click the Allow button to grant the application access to your Google Workspace account.

Grant OAuth Application Consent

Congratulations, you’re all set! If you face any issues with the steps mentioned above, please contact us by emailing integrations@stackone.com. We’re always here to assist you!

Available data

This integration has the following IAM Resources available from the provider:

  • Users
  • Groups
  • Roles