How to Configure and Use a Gmail / G Suite Service Account for Sync Activation¶
Gmail/G Suite Service Accounts are used for various mail access management tasks, for example to mass-authorize Revenue Inbox Sync engine to work with the end users’ Gmail data via RI Chrome Extension for Gmail.
Within this scenario, a service account configured by the local mail Admin provides a simple way to authorize multiple Gmail boxes for RI use, so the end users do not need to get their mailboxes authorized manually, and keep it connected every time they change their password. This makes adding new product users easier and allows admins and managers to ensure that all users get all Revenue Inbox features unrolled for them.
After mass RI Sync activation via a Gmail service account, you can proceed to mass-deploying the RI Chrome extensions for the end users; the mass deployment procedure is only available on Windows systems, via MS Active Directory.
Step 1. Create a Project¶
1.1. Log in to your Org’s Gmail / G Suite Console with a Super administrator credentials at https://console.developers.google.com/
If you haven’t used the Console before, you will first need to agree to the Console’s Terms of Service.
1.2. Click the button Select a project ▾ in the upper left corner of the Console
1.3. In the dialog that appears, click New Project
1.4. Enter a Project name and click Create. In this example we set the name Gmail Service Account
Step 2. Enable Gmail API Sets¶
2.1. Select your Project from the list and click the ENABLE APIS AND SERVICES button
2.2. On the API Library page that opens, use the search box to find GMAIL API, click on it and then Enable it on the next page.
Note that enabling the APIs here does not instantly grant the access, it is a prerequisite to add the corresponding permission scopes later
2.3. In the same manner find and enable two more API sets for the service account: Google Calendar API and Contacts API
Step 3. Create a Service Account User¶
3.1. Click the ☰ (Navigation menu) icon in the upper left corner of the Console and select IAM & admin > Service accounts in the navigation pane
3.2. In the next dialog, click + CREATE SERVICE ACCOUNT
3.3. Enter a name to identify the service account and set Service account description to “Allow admins to control which mailboxes get added”, then click CREATE
3.4. In the next window, set the value Project > Owner in the field Select a role and click Continue, then click DONE in the next window
3.5. The next step, click the ⁝ (Menu) icon in the Actions column of the created service account and select Create key
3.6. Select JSON format for the key (the default one) and click CREATE
3.7. Download the JSON to your hard drive; store the Key file securely, as it unlocks access to your Gmail resources. This file will be used at a later step. Close the download notification and proceed to the next step
Step 4. Enable Gmail/G Suite delegation for the domain¶
4.1. Find the newly created service account in the list, then click Menu ⋮ next to it under Actions and select Edit
4.2. In the Service account’s window:
Copy the Unique ID of the created service account to a text file or the clipboard to be used later
Then click the button SHOW DOMAIN-WIDE DELEGATION to expand the block
- Select the checkbox for Enable G Suite Domain-wide Delegation and enter Revenue Inbox in the field “Product name for the consent screen”
- Finally, click Save in the bottom left corner of the pane to apply the changes
Step 5. Enable the Service Account in Gmail¶
5.1. Log in to Gmail and open the Admin panel; you will need to scroll down under the More section to find it.
5.2. On the Admin panel, click the Security icon.
5.3. Scroll down and click Advanced Settings
5.4. In the “API controls” window that opens, click MANAGE THIRD-PARTY APP ACCESS
5.5. In the “App access control” window that opens, click Configure new app and select OAuth App Name Or Client ID in the picklist
5.6. Now you need to find the OAuth app to connect it. Enter the Unique ID, a digits only line that you copied on the Step 4.2, not the alphanumeric Key ID, into the Search for app name or client ID field and click SEARCH
If you didn’t copy the Unique ID, it can be retrieved in the following way: click ☰ (Menu) in the upper left corner of the Console window. Then select IAM & admin and click Service accounts. Once there, find the service account and click Edit in the Actions column menu, then copy the contents of the Unique ID field from the account parameters page.
5.7. If everything was configured correctly, you will see Revenue Inbox (or another app name that you entered) in the results. Click SELECT on the right hand side
5.8. The next step: select the checkbox next to the unique ID, then click SELECT in the bottom right corner of the dialog
5.9. In the next dialog, set App access to Trusted: Can access all Google services and click CONFIGURE
5.10. Next, you will see the list of configured API apps, including Revenue Inbox (or another app name you specified). Right-click on its App ID (an alphanumeric value with a dash ending with .apps.googleusercontent.com) and copy it
Step 6. Set Up Domain Delegation¶
6.1. Go back to Gmail Admin Console’s Security tab (see the step 5.2.), then scroll down to API Permissions
6.2. Click MANAGE DOMAIN-WIDE DELEGATION
6.3. In the pane “Domain-wide delegation”, click Add new API client
6.4. In the dialog “Add a new client ID” that appears:
- enter the App Client ID that you copied at step 5.10
- populate the OAuth scopes field with the following comma-separated values:
https://www.googleapis.com/auth/gmail.readonly, https://www.google.com/m8/feeds/, https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.appdata, https://www.googleapis.com/auth/gmail.labels, https://www.googleapis.com/auth/gmail.modify, https://www.googleapis.com/auth/tasks, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/gmail.compose
- Click AUTHORISE
6.3. Hold up for 5 minutes for the configuration to be applied
Now you are all set up to use the Gmail Service Account for end users authorization.
Step 7. Use the configured service account to authorize users in RI Admin panel¶
After you create a Gmail service account you must authorize the users in Revenue Inbox Admin panel.
To do that:
7.1. Login to the Admin panel with admin credentials provided by RI Support team
7.2. Click on ORGANIZATIONS tab and select your Org
7.3. Click on E-MAIL CONFIGURATION subtab
7.4. Click Choose File next to Upload JSON file, select the Private key .json file you generated at point ( 3.7 ) of the above instruction, then click Upload
7.5. Click Save in the upper right corner of the subtab and then click Check Users’ Google Impersonated Access to make sure that the procedure was successful