--- title: >- File Search Google Drive Setup Guide: Service Account with Domain-Wide Delegation excerpt: '' deprecated: false hidden: true metadata: title: '' description: '' robots: index next: description: '' --- The recommended approach for access is with [a custom admin role](https://help.moveworks.com/update/docs/file-search-google-drive-setup-guide-service-account-with-custom-admin-role). The following instructions are functional but Moveworks is unsure if Google has any plans to deprecate this. This document describes the option available to create a service account with Domain wide Delegation privileges, dedicated for Moveworks to ingest your Google Drive files, users, and groups for permission-enforced File Search. Moveworks will use the Service Account credentials to impersonate a Workspace admin, with privileges to read the desired folders/files, and groups/users of the Workspace. ### 1. Create Google Cloud Project 1. Create a Google Cloud Project for Moveworks 1. Sign into [https://console.cloud.google.com/cloud-resource-manager](https://console.cloud.google.com/cloud-resource-manager) using an account with Google Workspace Super Admin privileges 2. Click **+Create Project** 3. Name the project Moveworks and select the top-level organization OU for your Google Workspace 4. Click **Create** 5. Once completed, click **Select Project** from Notifications or via Search ### 2. Grant SDK Scopes to Project 1. Turn on the Admin SDK and Google Drive APIs for your Google Cloud Project 1. From the top-left Navigation Menu, click **APIs & Services > Enabled APIs & Services**. 2. Click **+Enable APIs & Services**. 3. Search for each of the following APIs, and select **Enable**: * **Admin SDK** * **Google Drive API** ### 3. Create a Service Account and Generate a JSON Web Token 1. From the top-left Navigation Menu, click **APIs & Services > Credentials**. 2. Click **+Create Credentials > Service account**. 3. For Service account name, enter **Moveworks** 4. (Optional) Enter **Service account description,** if desired 5. Click **Create and Continue**. 6. Click **Done > Save**. 7. Copy the Service Account email. _You’ll need this later._ 8. Create the service account key 1. Select the newly created Service Account. 2. Copy the **Unique ID** and save it for later. _You’ll need this later._ 3. At the top of the page, click **Keys > Add Key > Create new key**. 4. Make sure the key type is set to **JSON** and click **Create**. You'll get a message that the service account's private key JSON file was downloaded to your computer. Save this JSON file, as _you’ll need this later._ 5. Click **Close** on the pop-up window. ### 4. Add API Scopes to Service Account 1. Add domain-wide delegated OAuth API scopes to the service account 1. Sign into your Google Admin Console using an account with Super Admin privileges 2. Navigate through the following: **Menu** > **Security > Access and data control > API controls > Manage Domain-Wide Delegation.** 3. Click **Add New.** 4. In the **Client ID** field, enter the service account's **Unique** **ID** saved in **Step 2.** 5. Under **OAuth Scopes,** grant Moveworks the following scopes: 1. [https://www.googleapis.com/auth/admin.directory.group.readonly](https://www.googleapis.com/auth/admin.directory.group.readonly) 2. [https://www.googleapis.com/auth/admin.directory.user.readonly](https://www.googleapis.com/auth/admin.directory.user.readonly) 3. [https://www.googleapis.com/auth/drive.metadata.readonly](https://www.googleapis.com/auth/drive.metadata.readonly) 4. [https://www.googleapis.com/auth/drive.readonly](https://www.googleapis.com/auth/drive.readonly) 6. Click **Authorize**. ### 5. Share Desired Google Drive Folders with Service Account 1. In this step, make sure that each Google Drive Folder you wish to ingest has been shared access with the new Service Account with Custom Admin privileges that you have built in previous steps. ![](https://files.readme.io/fcf8088-Untitled_-_2024-07-29T174231.496.png) ### 6. Create Google Drive Connector and Configure File Ingestion **Configure Google Drive Connector in MW Setup** 1. Create a **Google Drive connector** 2. Select **Service Account Auth** 3. Open the **JSON Key** text file from **Step 2** and copy the content of the "private_key" 4. Open a new text file and paste the private key. Make sure new line characters, if applicable, are replaced with new lines. Once formatted correctly save the file as a .pem file type. 1. The formatting show look similar to the below: ![](https://files.readme.io/b8bd3a6f45b760214d4053b9ce2691732e8c162c816e41882a55cd6c85812bd0-image.png) 5. Upload the .pem file from the previous step in the **Gdrive Service Account Auth Private Key** field. 6. **Important:** Under “Impersonated User”, provide the email of a Google Workspace admin, or user/service account with access to read all Users/Groups **Configure File Ingestion** _Note, if user ingestion has not been set up previously, reach out to your Customer Success team_ 1. In the MW Setup, go to the **Answers > Ingestions > File Knowledge Screen.** 2. Select the **Google Drive Connector** and ***provide a Name**** your File ingestion config 3. Continue to the **Ingestion Details page** and **Specify each Folder**, using the Folder IDs 1. Copy and paste Folder IDs in the following manner: 1. If the URL of your Google Drive folder is \<[https://drive.google.com/drive/folders/FOLDERID](https://drive.google.com/drive/folders/FOLDERID), then input the FOLDERID 2. Please double check that each Folder has been shared access with the new Google Workspace User with Custom Admin privileges that you have built in previous steps 3. You can assign a Domain to each Folder, i.e IT, HR, Finance, etc.– this Domain is used for tagging in Analytics, enabling you to filter Search usage for each of your domains 4. **Save** the File Ingestions ### 7. Launch File Search to your employees (if not already) 1. Refer back to the main File Search Self-Serve guide: [File Search Self-Serve – Configuration Guide](/docs/file-search-self-serve-configuration).