Google Agent Configuration

Section One:

Preparing for Integration

When a customer of Google's GSuite Business level wishes to access Discover there are several steps included with creating the Service Account and Key required to operate the Google Agent for Discover.
 

Log in to the Google Admin site using the following link:

 
https://admin.google.com/AdminHome
 

Click on the 'Billing' icon in the dashboard to ensure the client has a G Suite Business account.

 
worddav8fb2680bf25475676cf3bfe5479c5b52.png
 

Next, log in to the Google API Developers site by using the following link:

 
https://console.developers.google.com/projectselector2/projectselector2/apis/dashboard?project=&angularJsUrl=true
 

Here, create the Project associated with our Organization. Click on the drop-down box to initiate the next box and then click on the drop-down to select the organizational name.

 
worddav39a55337f77b9d6e1c9e020f82c1c7c3.png
 
worddav00a943b693c47dfbc1015bcbb46c817c.png
 

Click on the 'New Project' button:

 
worddav8d8c9107176238dcd2da44412ed451e6.png
 

On the new project screen, please name the project and click on the 'Create' button:

 
worddave7b2298734d7f94a72b30293b22ef06e.png
 

NOTE: It will take approximately 15-25 seconds to create the project, indicated by the Google spinning wheel.

Once successfully created, click on the 'Enable APIS and Services' option:

 
worddav7d8d2c90671e29464031198faf64a469.png
 

This enables you to add the APIs you wish to track metrics. These are the ones currently tracked to show traffic flow for Google Drive and Gmail by the Discover Agent.

 
worddavd5f78bcf3b93a8dbec89f4e19f997d23.png
 

Next is the creation of the Service Account that will allow the SAIG Agent to interact with Google Cloud infrastructure.


Click on the menu button next to the 'GoogleAPIs' logo:

 
worddav35ad406694349360c3c31624bd401535.png
 

Navigate to 'IAM & admin' --> 'Service accounts':

 
worddav82f880fa901e3524e0b0a9fb9123d390.png
 

Click on the 'Create Service Account' button:

 
worddav6f3b320071c3a6db6854ff82bda41440.png
 

Add the name of the service account and the description, when finished click on the 'Create' button:

 
worddav43ca151101e1c02c6c8b109b85365781.png
 

After your service account is created, click on the 'Manage Access' link at the top of the page:

Screenshot (304).png


Inthe “Manage Access” pane and make sure the service account has the roles for Editor and Owner:

Screenshot (305).png


 

Now click on the service account again, select the three-dot ellipsis in the Actions column and select “Manage Keys” :

Screenshot (306).png

then click on the 'Generate Key' button. Choose the 'P12' radio button and then click 'Create'

Screenshot (307).png


 

NOTE: When you click 'Create', it will prompt you to save the P12 file to the computer. Keep this file in a safe place that is easy to remember it will be required during the Discover configuration process. Ignore the password box and click close.
 

Click 'Done'

From the left-hand navigation select the Service Accounts link once more then scroll down the page to Advanced Settings

Screenshot (308).png

On the Advanced Settings page, click the link to “View Google Workspace Admin Console

Screenshot (310).png

In the Admin console click the “Show More” button in the left hand navigation to locate the Security link:

Screenshot (311).png

Click on Security in the left-hand navigation then open the link for “Access and data control”

Screenshot (312).png

Select API Controls. Make sure the option for Trust Internal Domain-owned apps is checked then click on the Manage Domain Wide Delegation link:

Screenshot (313).png

Make sure the Gimmal account you have created has all of the “Scope” entries shown below. If it does not, click the edit button to add any missing scope.

Screenshot (314).png





NOTE: This is the step that generates the 'Client ID' required for permission setup and the Discover Agent.

NOTE: This concludes the setup of the Google service account required to run the Discover Agent. Now we can apply the account credentials to the Agent settings window in section two.
 
 

Section Two:


Google Agent Setup in Discover


Log in to the Google API Developers site by using the following link:

 
https://console.developers.google.com/
 Go to the 'Credentials' option on the left-hand side and then click on the account under 'Oauth 2.0 client IDs' (account name will be different per organization):

 
worddavd684aba35fa9c3ffb2ea75a5f118d104.png
 

Copy/paste the 'Client ID' into the Google Agent in Discover:

 
worddavade4f75ed83b67ad742f23dac8823456.png
 

Once you login to Discover; navigate to Administration --> Configuration --> Connectors --> check mark the connector --> 'More' button --> Connector Settings.

Click on the 'Google Agent' tab, then scroll down to where you will see the Admin account field. Enter the admin account created when the G Suite account was initially created, then paste the 'Client ID' into the 'Service Account Email' field. Next, click on the 'Browse' button to select the P12 file created in Step 15 of 'Section One'.

 
worddavcf2b89d9592c92919fc2e2775d6a09b5.png
 

Click the 'Update' button to save changes.

  • Give the connector service a couple of minutes to check back in with the web console.

  • Moving forward, you will be able to create the Owner, Google Drive, and Gmail search to pull Data Targets into Discover.


Appendix

Troubleshooting Note 1:


Issue

When running a Google Owner search, I receive the following error in the Google Agent Log: 
[07:21:43.5 Jul-23] ERROR: Error while obtaining G Suite users root information
Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.", Uri:""
at Google.Apis.Auth.OAuth2.Requests.TokenRequestExtenstions.<ExecuteAsync>d__0.MoveNext()
— End of stack trace from previous location where exception was thrown —
 
=====================================================================================
 

Solution

Make sure the Service Account used in the Google Agent configuration has 'Owner' rights to the newly created Google project. This is corrected by updating the following:
 

Click on the Google API Developers site by using the following link:

 
https://console.developers.google.com/projectselector2/projectselector2/apis/dashboard?project=&angularJsUrl=true
 

Click on the menu button next to the 'GoogleAPIs' logo

Next click on the IAM & admin --> Manage resources

 
worddav0f887bdf01b979665ff8673c41cc265e.png
 

Select the project created under the organization.

Click on the vertical three dots button and select the Permissions option.


worddavb7f213075b743a7a863cb3c72153a586.png
 

Select the Service Account and click on the pencil icon to edit the account.

 
worddav9512f485bd6f94668d2262e86922b6f7.png
 

Click on the Role dropdown arrow --> select Project --> then select Owner.

 
worddav0b3781ae4a6018a9e53333490e4eeaae.png
 

When finished click on the 'Save' button.

 
worddava0234c4023a227f421801c096b5fc796.png
 

Run the Google Owner search again.

 
 

Troubleshooting Note 2:


Issue

When running a Google Owner search, I receive the following error in the Google Agent Log:
  
[11:33:00.8 Jul-23] ERROR: Error while obtaining G Suite users root information
The service admin has thrown an exception: Google.GoogleApiException: Google.Apis.Requests.RequestError
Domain not found. [404]
Errors [Message[Domain not found.] Location[ - ] Reason[notFound] Domain[global]
 
at Google.Apis.Requests.ClientServiceRequest`1.<ParseResponse>d__34.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at SherpaSoftware.GoogleAPIs.AdminDirectory.ListAllUsers(List`1 nonFatalErrors, String domain)
at SherpaSoftware.AoGoogleAgent.appSearchFolderThread.OnPerformPersonSearch(IOwnerSearch search)
 ====================================================================================
 

Solution

This is caused when the organization configuration in the Google API Developers site does not have an OAuth consent screen designated for their domain. This is corrected by updating the following:
 

Click on the Google API Developers site by using the following link:

 
https://console.developers.google.com/projectselector2/projectselector2/apis/dashboard?project=&angularJsUrl=true
 

Click on 'Credentials' from the main dashboard page.

 
worddav1759603f6e5b967b58304fd48eec27f0.png
 

Then click on the 'OAuth consent screen'

 
worddav0ba4b69a44906ae0b486cd904a29ad34.png
 

Fill out the consent screen as follows:

  • Application type = Public

  • Application name = 'Organizations Choice'

  • Support email = 'Service Account email address'

  • Authorized domains = 'Add Organizations Domain and sherpaaltitudeig.com'

Click 'Save'

 
worddav393f6246df8253d299e3169e4c61d3cb.png
worddav629caa8d36d71ac7583061b3d0318fa7.png
 

Run the Google Owner search again.