Skip to content

Configure your Google Cloud Service account

Google Cloud Platform general prerequisites

In order to ingest Google Workspace data into your Splunk platform deployment, you must complete the following prerequisites:

  1. Create a new project in your Google Cloud Platform deployment.
  2. Create a Google Cloud Service account from the Google Developers Console. For more information, see Using OAuth 2.0 for Server to Server Applications topic in the Google Identity manual.

Multiple domain support

The Splunk Add-on for Google Workspace allows a Splunk administrator to collect Google Workspace audit events from different domains. This allows a central visibility on customer GWS accounts which needs to be centrally monitored.

In order to use the multiple domain monitoring feature for domains associated with an organization, create a Google Cloud Service account for each domain you want to monitor and then use these service accounts to Configure the Splunk Add-on for Google Workspace.

Asset and Identity framework support

The Splunk Add-on for the Google Workspace lets a Splunk administrator integrate users’ identity events to the Asset and Identity (A&I) framework. Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. In order to use the A&I framework, installation of the Splunk Enterprise Security is required. For the complete installation guide, see the Install Splunk Enterprise Security in a search head cluster environment topic in the Splunk Enterprise Security manual.

Currently supported through the Custom event type integration. The following event type has been configured in the Splunk Add-on for Google Workspace: gws_users_identity.

For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.

Google Workspace activity report prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Admin SDK API. Select the Admin SDK API.
  4. In Admin SDK API, select the Enable button to enable the Admin SDK API. Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  5. Navigate to APIs and Services > Credentials.
  6. In Credentials, select Create Credentials > Service account.
  7. In Create service account, perform the following steps:
    1. Name your service account, and select Create and Continue.
    2. (Optional) Grant your service account access to a project.
    3. Select Continue.
    4. (Optional) Grant users access to your service account. Select Done.
  8. In Credentials, navigate to your new service account name, and select your new service account name.
  9. In the Service account details page for your new service account, perform the following steps:

    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

      This is also your Client ID

    2. Navigate to the Keys tab.

    3. Select Add Key > Create new key.
    4. Select the JSON key type.
    5. Select Create.
    6. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    7. Navigate to the Permissions tab.

    8. Navigate to the user name email address that has Owner permissions. Copy the email address.
  10. Navigate to admin.google.com.

  11. Log in to your administrator Google account.
  12. On the Google Admin home page, navigate to Security > API controls.
  13. In API Controls, navigate to Domain wide delegation, and select Manage Domain Wide Delegation.
  14. In Manage Domain Wide Delegation, select Add new to add a new client ID.
  15. In the Add a new client ID window, perform the following steps:

    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.
    2. In the OAuth scopes (comma-delimited) field, add the https://www.googleapis.com/auth/admin.reports.audit.readonly scope for the service account. This gives read-only access when retrieving an activity report. For more information, see the Google Cloud storage APIs & Reference and Getting Endpoints Quickstart documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.

    3. Select Authorize.

Google Workspace usage report prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Admin SDK API. Select the Admin SDK API.
  4. In Admin SDK API, select the Enable button to enable the Admin SDK API. Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  5. Navigate to APIs and Services > Credentials.
  6. In Credentials, select Create Credentials > Service account.
  7. In Create service account, perform the following steps:
    1. Name your service account, and select Create and Continue.
    2. (Optional) Grant your service account access to a project.
    3. Select Continue.
    4. (Optional) Grant users access to your service account.
    5. Select Done.
  8. In Credentials, navigate to your new service account name, and click your new service account name.

  9. In the Service account details page for your new service account, perform the following steps:

    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

      This is also your Client ID.

    2. Navigate to the Keys tab.

    3. Select Add Key > Create new key.
    4. Select the JSON key type.
    5. Select Create.
    6. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    7. Navigate to the Permissions tab.

    8. Navigate to the user name email address that has Owner permissions. Copy the email address.
  10. Navigate to admin.google.com.

  11. Log in to your administrator Google account.
  12. On the Google Admin home page, navigate to Security > API controls.
  13. In API Controls, navigate to Domain wide delegation, and select Manage Domain Wide Delegation.
  14. In Manage Domain Wide Delegation, select Add new to add a new client ID.
  15. In the Add a new client ID window, perform the following steps:

    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.
    2. In the OAuth scopes (comma-delimited) field, add the https://www.googleapis.com/auth/admin.reports.usage.readonly scope for the service account. This gives read-only access when retrieving an usage report. For more information, See the Google Cloud storage APIs & Reference and Getting Endpoints Quickstart documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.

    3. Click Authorize.

Gmail headers prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the BigQuery API. Select theBigQuery API.
  4. In BigQuery API, select the Enable button to enable the BigQuery API.
  5. Navigate to APIs and Services > Credentials.
  6. In Credentials, select Create Credentials > Service account.
  7. In Create service account, perform the following steps:
    1. Name your service account, and select Create and Continue.
    2. (Optional) Grant your service account access to a project.
    3. Select Continue.
    4. (Optional) Grant users access to your service account.
    5. Select Done.
  8. In Credentials, navigate to your new service account name, and select your new service account name.
  9. In the Service account details page for your new service account, perform the following steps:

    1. Navigate to the Keys tab.
    2. Select Add Key > Create new key.
    3. Select the JSON key type.
    4. Click Create.
    5. Select the key type JSON file to your selected directory.

    Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

  10. Go back to the Details tab and copy the service account email.

  11. Navigate to IAM.
  12. Select Add.
  13. Paste service account email into New principals field.
  14. Select Select a role.
  15. Type BigQuery Job User.
  16. Select BigQuery Job User.
  17. Select Save.
  18. Navigate to admin.google.com.
  19. Go to Apps > Google Workspace > Gmail.
  20. Select Setup.
  21. Select Email Logs in BigQuery.
  22. Select Enable.
  23. In Select the BigQuery project to use find a Google Cloud project where service account was created.
  24. You can optionally specify a different name of the dataset under Specify the name for a new dataset to be created within your project. Later you can configure this dataset name during the input configuration steps.
  25. Select Save.
  26. Navigate to console.cloud.google.com.
  27. Search for BigQuery in the search bar and click BigQuery.
  28. On the left side of the screen you should see the Google Cloud project, click on it.
  29. Select View actions > Open (three dots) near gmail_logs_dataset. By default, you may see something else depending on the name you chose in the previous step.
  30. Select Sharing > Permissions.
  31. Select Add principal.
  32. Paste service account email into the New principals field.
  33. Select Select a role.
  34. Type BigQuery Data Viewer.
  35. Select BigQuery Data Viewer.
  36. Select Save.

Google Workspace user identity report prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Admin SDK API.
  4. Select the Admin SDK API.
  5. In Admin SDK API, click the Enable button to enable the Admin SDK API. Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  6. Navigate to APIs and Services > Credentials.
  7. In Credentials, select Create Credentials > Service account.
  8. In Create service account, perform the following steps:

    1. Name your service account, and select Create and Continue.
    2. (Optional) Grant your service account access to a project.
    3. Select Continue.
    4. (Optional) Grant users access to your service account.
    5. Select Done.
  9. In Credentials, navigate to your new service account name, and click your new service account name.

  10. In the Service account details page for your new service account, perform the following steps:

    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

      This is also your Client ID.

    2. Navigate to the Keys tab.

    3. Select Add Key > Create new key.
    4. Select the JSON key type.
    5. Select Create.
    6. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    7. Navigate to the Permissions tab.

    8. Navigate to the user name email address that has Owner permissions. Copy the email address.
  11. Navigate to admin.google.com.

  12. Log in to your administrator Google account.
  13. On the Google Admin home page, navigate to Security > API controls.
  14. In API Controls, navigate to Domain wide delegation, and select Manage Domain Wide Delegation.
  15. In Manage Domain Wide Delegation, select Add new to add a new client ID.
  16. In the Add a new client ID window, perform the following steps:

    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.

    2. In the OAuth scopes (comma-delimited) field, add the https://www.googleapis.com/auth/admin.directory.user.readonly scope for the service account. This gives read-only access when retrieving the user identity. For more information, See the Google Cloud storage Directory API: User Accounts and SDK:Directory API documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.

    3. Select Authorize.

Google Workspace Alert Center prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Google Workspace Alert Center API.
  4. Select the Google Workspace Alert Center API.
  5. In Google Workspace Alert Center API, select the Enable button to enable the Google Workspace Alert Center API. Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  6. Navigate to APIs and Services > Credentials.
  7. In Credentials, select Create Credentials > Service account.
  8. In Create service account, perform the following steps:

    1. Name your service account, and select Create and Continue.
    2. (Optional) Grant your service account access to a project.
    3. Select Continue.
    4. (Optional) Grant users access to your service account.
    5. Select Done.
  9. In Credentials, navigate to your new service account name, and click your new service account name.

  10. In the Service account details page for your new service account, perform the following steps:

    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

    This is also your Client ID.

    1. Navigate to the Keys tab.
    2. Select Add Key > Create new key.
    3. Select the JSON key type.
    4. Select Create.
    5. Save the key type JSON file to your selected directory.

    Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    1. Navigate to the Permissions tab.
    2. Navigate to the user name email address that has Owner permissions. Copy the email address.
  11. Navigate to admin.google.com.

  12. Log in to your administrator Google account.
  13. On the Google Admin home page, navigate to Security > API controls.
  14. In API Controls, navigate to Domain wide delegation, and select Manage Domain Wide Delegation.
  15. In Manage Domain Wide Delegation, select Add new to add a new client ID.
  16. In the Add a new client ID window, perform the following steps:

    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.
    2. In the OAuth scopes (comma-delimited) field, add the [https://www.googleapis.com/auth/admin.directory.user.readonly](https://www.googleapis.com/auth/admin.directory.user.readonly) scope for the service account. This gives read-only access when retrieving the user identity. For more information, See the Google Cloud storage APIs & Reference and Getting Endpoints Quickstart documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.

    3. Select Authorize.