googleadmin
Google Workspace identity services.
total methods: 139
total selectable resources: 25
See also:
[SHOW] [DESCRIBE] [REGISTRY]
Installation
To pull the latest version of the googleadmin provider, run the following command:
REGISTRY PULL googleadmin;
To view previous provider versions or to pull a specific provider version, see here.
Authentication
The following authentication methods are supported:
service_account(using a Google Cloud service account)
for more information on creating service accounts and key files, see .
Setup instructions
To authorize a Google Cloud service account for use in the Admin SDK, follow the instructions provided here:
1. Create a Service Account (from the Google Cloud Console)
- Create a Google Cloud service account (see Service accounts overview).
- Download the JSON key file for the service account (see Service account keys).
- From the Google Cloud Console, locate and select the service account created, go to "Details" > "Advanced settings" > "Domain-wide delegation".
- Copy the "Client ID" of the service account to the clipboard.
- Click the "VIEW GOOGLE WORKSPACE ADMIN CONSOLE" link. This will open the Google Workspace Admin Console in a new tab.
2. Enable the Admin SDK API for your project (from the Google Cloud Console)
- From the Google Cloud Console, in the same project that you created the Service Account in step 1, go to "APIs & Services" > "Library".
- Search for "Admin SDK API" and click on it.
- Click "Enable".
3. Delegate Domain-Wide Authority to your Service Account (from the Google Workspace Admin Console)
- From the Google Workspace Admin Console, go to "Security" > "Access and data control" > "API Controls" > "Domain-wide delegation" > "MANAGE DOMAIN-WIDE DELEGATION".
- Click "Add new" and paste the "Client ID" of the service account copied to the clipboard in step 1.
- In the "OAuth scopes" field, enter the following scopes:
https://www.googleapis.com/auth/cloud-platformandhttps://www.googleapis.com/auth/admin.directory.user.readonly. - Click "Authorise".
4. Assign the Admin role to your Service Account (from the Google Workspace Admin Console)
- From the Google Workspace Admin Console, go to "Account" > "Admin roles" > "User Management" > "Admins" > "Assign service accounts".
- Add the email to the service account created in step 1 and click "Assign Role". For more information, see Assigning a role to a service account.
Service Account Environment Variable (default)
The following system environment variable is used by default:
GOOGLE_CREDENTIALS- contents of thegoogleservice account key json file
This variable is sourced at runtime (from the local machine using export GOOGLE_CREDENTIALS=$(cat creds/my-sa-key.json) for example or as a CI variable/secret).
Specifying the service account key file location directly
You can specify the path to the service account key file without using the default environment variable by using the --auth flag of the stackql program. For example:
AUTH='{ "google": { "type": "service_account", "credentialsfilepath": "creds/sa-key.json" }}'
stackql shell --auth="${AUTH}"
or using PowerShell:
$Auth = "{ 'google': { 'type': 'service_account', 'credentialsfilepath': 'creds/sa-key.json' }}"
stackql.exe shell --auth=$Auth