You use a Google service account to connect to your target Google Workspace domain. You set up the target connection in the Google Workspace Migrate platform.
Before you begin
- You don't have to create a new service account. You can use the service account that you set up earlier. Follow the steps below if you want to create a new service account.
- You can create the new service account in a different Google Cloud Console project. If you do, first enable the APIs in the new project. Go to Step 1: Use Google Cloud Console to turn on APIs.
Steps to set up a target connectionStep 1: Create the service account (Optional)
- In the Cloud Console, click IAM & AdminService Accounts. You might have to click Menu first.
- Click Create Service Account.
- Click Service account name and enter a name.
The service account ID is completed automatically.
- (Optional) To add your own description to the service account, click Service account description and enter a description.
- Click Create.
- Service account and user permissions are not required for Google Workspace Migrate. Click ContinueDone to skip these steps.
- Click Service Accounts and select the email address of the service account that you created.
- Click KeysAdd KeyCreate new key.
- Make sure the key type is set to JSON and click Create.
You'll get a message that the service account JSON key file has been created and downloaded to your computer. Make a note of the name of this file because you’ll need it later.
- Click Close.
What happens next?
It can take up to 24 hours to create service accounts. If you lose the name of the key file, repeat these steps to create a new one.
Next, authorize the service account in the Google Admin console. You must complete this step even if you are reusing a service account.
On the Admin console Home page, go to SecurityAPI controls.
- Click Manage Domain Wide Delegation.
- Click Add new and enter your service account client ID.
You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in the Google Cloud Console (click IAM & AdminService accountsyour service account).
Click Client ID and enter your service account client ID.
You can find the service account client ID in the JSON file that you downloaded when you created the service account. Alternatively, you can find the client ID (also known as the Unique ID) in the Google Cloud Console. Click IAM & AdminService accounts and then select your service account.
- In the OAuth scopes field, copy and paste the following scopes:
- Click Authorize.
Select the new client ID, click View details, and make sure every scope is listed.
If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.
Go back to the Google Cloud Console and click Save.
You might see the following error: Client is not authorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
- Repeat step 2 (Authorize the service account) above.
- Make sure you're using the correct client ID. Open the JSON file in a text editor to verify the client IDs match.
- If you still see the error, you might need to wait for the authorization process to finish. It usually takes a few minutes, but can take up to 24 hours.
- In the Google Workspace Migrate platform, click NewConnection.
- Enter a connection name.
- Under Type, select Google Workspace.
- Under Admin email, enter the email address of a super administrator for your target Google Workspace domain.
- Under Account, click Add new account.
- Under Service certificate, click Upload file, navigate to the downloaded JSON private key, and click Open. Or, drag the JSON file to the box.
- Click Create.