Create a Google Workspace target connection

You use a Google service account to connect to your target Google Workspace domain. You set up the target connection in the Google Workspace Migrate platform. 

Before you begin 

  • You don't have to create a new service account. You can use the service account that you set up earlier. Follow the steps below if you want to create a new service account. 
  • You can create the new service account in a different Google Cloud Console project. If you do, first enable the APIs in the new project. Go to Step 1: Use Google Cloud Console to turn on APIs

Steps to set up a target connection

Open all   |   Close all

Step 1: Create the service account (Optional)
  1. In the Cloud Console, click IAM & Adminand thenService Accounts. You might have to click Menu "" first.
  2. Click Create Service Account.
  3. Click Service account name and enter a name.

    The service account ID is completed automatically.

  4. (Optional) To add your own description to the service account, click Service account description and enter a description.
  5. Click Create.
  6. Service account and user permissions are not required for Google Workspace Migrate. Click Continueand thenDone to skip these steps.
  7. Click Service Accounts and select the email address of the service account that you created.
  8. Click Keysand thenAdd Keyand thenCreate new key.
  9. Make sure the key type is set to JSON and click Create.

    You'll get a message that the service account JSON key file has been created and downloaded to your computer. Make a note of the name of this file because you’ll need it later.

  10. Click Close.

What happens next? 

It can take up to 24 hours to create service accounts. If you lose the name of the key file, repeat these steps to create a new one.

Step 2: Authorize the service account

Next, authorize the service account in the Google Admin console. You must complete this step even if you are reusing a service account. 

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. Click Manage Domain Wide Delegation.
  4. Click Add new and enter your service account client ID.

    You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in the Google Cloud Console (click IAM & Adminand thenService accountsand thenyour service account).

  5. Click Client ID and enter your service account client ID.

    You can find the service account client ID in the JSON file that you downloaded when you created the service account. Alternatively, you can find the client ID (also known as the Unique ID) in the Google Cloud Console. Click IAM & Adminand thenService accounts and then select your service account.

  6. In the OAuth scopes field, copy and paste the following scopes:,,,,,,,,,,,,,,,,,,,,,

  7. Click Authorize.
  8. Select the new client ID, click View details, and make sure every scope is listed.

    If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

  9. Go back to the Google Cloud Console and click Save.


You might see the following error: Client is not authorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

To troubleshoot: 

  • Repeat step 2 (Authorize the service account) above. 
  • Make sure you're using the correct client ID. Open the JSON file in a text editor to verify the client IDs match. 
  • If you still see the error, you might need to wait for the authorization process to finish. It usually takes a few minutes, but can take up to 24 hours.
Step 3: Set up the target connection
  1. In the Google Workspace Migrate platform, click Newand thenConnection
  2. Enter a connection name. 
  3. Under Type, select Google Workspace.
  4. Under Admin email, enter the email address of a super administrator for your target Google Workspace domain. 
  5. Under Account, click Add new account.
  6. Under Service certificate, click Upload file, navigate to the downloaded JSON private key, and click Open. Or, drag the JSON file to the box.
  7. Click Create.

Next step

Plan your migration phases for Exchange, SharePoint, file shares, Box, or Google Workspace

Clear search
Close search
Google apps
Main menu
Search Help Center