Manually create a service account

(Recommended) To use a script to create a service account, go to Create a Google Workspace service account

You need to create a service account when you’re setting up Google Workspace Migrate. If you don’t use a script, follow these steps to manually create a service account.

Steps to create the service account

Expand all  |  Collapse all

Step 1: Use the Google Cloud to turn on APIs
  1. Go to Google Cloud and sign in as a Google Workspace super administrator. If this is your first time signing in to the console, agree to the Terms of Service.
  2. Click IAM & Adminand thenManage Resources. You might have to click Menu "" first.
  3. At the top, click Create Project.
  4. Enter a project name and click Create.
  5. Check the box next to your new project. 
  6. Click APIs & Servicesand thenLibrary. You might have to click Menu "" first.
  7. For each API you require (below), click the API name and then Enable.

    Tip: If you can't find the API, specify the API name in the search box.

    • Admin SDK
    • Contacts API
    • Google Workspace Migrate API
    • Gmail API
    • Google Calendar API
    • Google Drive API
    • Groups Migration API
    • Groups Settings API
    • Google Sheets API
    • Tasks API
  8. Repeat steps 7, as required.

(Optional) Enable APIs using the command line

You can enable the APIs using the gcloud command-line tool.

  1. In a browser window, open the Cloud Shell Editor.
  2. In the gcloud command-line tool, enter:

    gcloud services enable admin.googleapis.com contacts.googleapis.com \
    migrate.googleapis.com gmail.googleapis.com calendar-json.googleapis.com \
    drive.googleapis.com groupsmigration.googleapis.com \
    groupssettings.googleapis.com sheets.googleapis.com tasks.googleapis.com

For details, go to gcloud services enable.

Step 2: Create the service account in the Cloud Console
  1. In Google Cloud, click IAM & Adminand thenService Accounts. You might have to click Menu "" first.
  2. Click Create Service Account.
  3. For Service account name, enter a name.

    The service account ID is completed automatically.

  4. (Optional) To add your own description to the service account, click Service account description and enter a description.
  5. Click Create and Continue.
  6. Service account and user permissions are not required for Google Workspace Migrate.

    Click Done to skip these steps.

  7. Select the email address of the service account that you created.
  8. At the top, click Keysand thenAdd Keyand thenCreate new key.
  9. Make sure the key type is set to JSON and click Create.

    You'll get a message that the service account JSON key file has been created and downloaded to your computer. Make a note of the name of this file because you’ll need it later.

  10. Click Close.

What happens next? 

It can take up to 24 hours to create service accounts. If you lose the name of the key file, repeat these steps to create a new one.

Step 3: Authorize your client ID

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. Click Manage Domain Wide Delegation.
  4. Click Add new and enter your service account client ID.

    You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in Google Cloud (click IAM & Adminand thenService accountsand thenthe name of your service account).

    Note: Make sure you use the service account client ID, not the OAuth Web client ID.

  5. Click OAuth scopes and enter the following list of scopes, separated by commas (you can copy the list):

    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/admin.directory.customer.readonly,
    https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
    https://www.googleapis.com/auth/userinfo.email,
    https://www.googleapis.com/auth/migrate.deployment.interop

  6. Click Authorize.
  7. Point to the new client ID, click View details, and make sure every scope is listed.

    If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

If you get an error, the client ID might not be registered with Google or there could be duplicate or unsupported scopes. Google Workspace Migrate should be available for use within an hour, but might take up to 24 hours.

Next step

Create the OAuth Web client ID

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false