Set up Google service accounts

A service account is a special type of Google account. It represents a non-human user that needs to authenticate and be authorized to access data in the Google APIs.

Note

🔍 Service accounts are supported for Google Calendar only.

This page describes how to set up a service account and authorize end users.

Create a service account

Follow these steps to create a Google service account:

1. From the Google Cloud Platform dashboard, navigate to IAM & admin > Service Accounts.
2. Select your project and click Create service account.
3. Enter a name, ID, and description for the Service Account.
4. Click Create and continue.
5. (Optional) Grant the service account access to your GCP app.
6. (Optional) Grant end users access to the service account.
7. Click Done.

(Optional) Create a service account key

Follow these steps to create a key for your Google service account:

1. From the Google Cloud Platform dashboard, navigate to IAM & admin > Service Accounts.
2. Select the service account that you want to create a key for.
3. Navigate to the Keys tab.
4. Click Add key > Create new key, and select JSON.
5. Click Create. Google creates a key for the service account and automatically downloads it. Be sure to save the key somewhere safe, like a secrets manager. For best practices, see Storing secrets securely.

(Optional) Delegate domain-wide authority

If you choose to delegate domain-wide authority, you’ll need the client ID for your GCP app. You can access it in two ways:

• Using the service account key, if you made one.
• From the Details page for your GCP app.

After you have your client ID, follow these steps to delegate domain-wide authority:

1. From the Google Cloud Platform dashboard, navigate to Security > Access and data control > API controls.

2. In the Domain wide delegation pane, select Manage domain wide delegation.

3. Click Add new.

4. Enter your GCP app’s client ID.

5. Enter the following OAuth scopes:

   https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/admin.directory.user.readonly

6. Click Authorize.

Authenticate end users with a service account

To authenticate an end user with a service account’s credentials, make a Custom Authentication request. Pass the end user’s email_address, and include the service account’s credential_id.

Note

🔍 You must use a real account, not an alias, when authenticating end users with service accounts. The domain names for the service account and the end user’s email address must match. For example, if the Service Account credential is service@example-1.com and the end user’s email address is leyah@example-2.com, the auth process will fail.

curl --request POST \
  --url 'https://api.us.nylas.com/v3/connect/custom' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <NYLAS_API_KEY>' \
  --header 'Content-Type: application/json' \
  --data '{
    "provider": "google",
    "settings":
    {
      "email_address": "user@gmailworkspace.com",
      "credential_id": "e280d2fa-86db-4937-81c9-ffbd539872d6"
    },
    "scope": [
      "https://www.googleapis.com/auth/userinfo.email",
      "https://www.googleapis.com/auth/userinfo.profile"
    ],
    "state": "my-state"
  }'

Currently, you cannot use a service account to bulk authenticate room resources.