3. Create a service account

If you're using 3-legged OAuth as your Google authentication method, you can skip this step and go to Download & install.

To use a service account as your authentication method, you need to create an account and set it up before you install Password Sync. How you create the account depends on whether you want to run an automated script (recommended) or manually create a service account.

You're on step 3 of 7

Option 1: Use an automated script to create the account

This GitHub script is not supported by Google Workspace support. If you have issues using the script, follow the steps to manually create the account instead. Learn more about using the script.

  1. Sign in as a super administrator and, in a browser window, open Cloud Shell.
  2. In the editor, enter python3 <(curl -s -S -L https://git.io/password-sync-create-service-account).
  3. Complete the steps in the Cloud Shell window.
  4. Click Download to download the JSON file that contains the service account's client ID to your computer.
  5. Go to Download & install.

Learn more about using the script.

Option 2: Manually create a service account

Step 1: Create a project

  1. Go to Google Cloud and sign in as a super administrator. If it's your first time signing in to the console, agree to the Terms of Service.
  2. Click IAM & Admin and thenManage Resources. You might have to click Menu first.
  3. At the top, click Create Project and enter a project name.
  4. (Optional) To add the project to a folder, for Location, click Browse, navigate to the folder, and click Select.
  5. Click Create.
  6. By default, only the creator of the project has rights to manage the project. To ensure the project can be maintained if the creator leaves the organization, you should assign at least one other person the role of Project Owner. For details, go to Manage access to projects, folders, and organizations.

Step 2: Turn on the APIs for the service account

  1. Check the box next to your new project.
  2. Click APIs & Services and thenLibrary. You might have to click Menu first.
  3. Search for the Admin SDK API and click the API name and then Enable.

Tip: When adding the email addresses below, use shared administrator email accounts.

  1. In Google Cloud, open the project that you created earlier.
    • If you manually created a service account, the project was created in Step 1: Create a project.
    • If you created the project using a script, the project name is listed in the Google Cloud Shell Editor after the script runs.
  2. Click APIs & Services and thenOAuth consent screen. You might have to click Menu first.
  3. Click Branding

    If you don't see Get started, go to step 4. Otherwise, go to step 5.

  4. Click Clients.

    If you see + Create client, go to Step 4: Create the service account. Otherwise, go to step 5.

  5. Click Get started.
  6. For App name, enter your application's name (for example, Google Workspace Migrate or GWM).
  7. For User support email, enter an email that users can contact with questions, and then click Next.
  8. For Audience, select Internal, and then click Next.
  9. For Contact Information, enter any relevant email addresses, and then click Next.
  10. For Finish, check the I agree to the Google API Services: User Data Policy box.
  11. Click Continue and thenCreate.

Step 4: Create the service account

  1. Click APIs & Services and thenCredentials. You might have to click Menu first.
  2. Click Create Credentials and thenService account.
  3. For Service account name, enter a name for the service account and optionally add a description.
  4. Click Create and Continue and thenDone.
  5. Make a note of the Unique ID value for the service account. You'll need it later. This value is also the service account's client ID.

    Tip: You can also find the value on the Details tab of the service account or in the JSON file.

  6. Click Done and thenSave.
  7. At the top, click Keys and thenAdd Key and thenCreate new key.
  8. Make sure the key type is set to JSON and click Create.

    You'll get a message that the service account's private key JSON file was downloaded to your computer.

  9. Make a note of the file name and where your browser saves it. You'll need it later.
  10. Click Close.

Step 5: Authorize your client ID in the Admin console

  1. In the Google Admin console, go to Menu and then Security and thenAccess and data control and thenAPI controls and thenManage Domain Wide Delegation.

    You must be signed in as a super administrator for this task.

  2. Click Add new and enter your service account client ID.

    You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in Google Cloud (click IAM & Admin and thenService accounts and thenthe name of your service account).

  3. For OAuth scopes, enter the following scope:

    https://www.googleapis.com/auth/admin.directory.user

  4. Click Authorize.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.