Add a Google Workspace message source

Overview

In order for the Sublime Platform to access mail for your Google Workspace organization programmatically, you must upload a Google Cloud Platform service account key to which you've granted domain-wide delegation of authority for your Google Workspace organization. This is required so that only you have access to your mail, and not anyone else, including the Sublime team.

๐Ÿ“˜

Google Workspace super administrator

To add a Google Workspace message source, you need to be a super administrator for your Google Workspace organization or get the help of a super administrator.

You must also have "Project creator" or greater IAM permissions for your organization.

Creating a service account key

There are 3 high-level steps to creating a service account key, which are described in detail below:

  1. Set up a Google Cloud Platform project
  2. Create a service account for the project
  3. Grant domain-wide delegation to the service account

1. Set up a Google Cloud Platform project

  1. Go to https://console.cloud.google.com and sign in with your Google Workspace account
  2. If you've never used Google Cloud Platform before, agree to the terms
  1. Click the dropdown in the upper left
  1. Click the New Project button
  2. Add a project name in the Project name field (for example, "Sublime Platform")
  3. Click the Create button and wait a moment for the new project to be created
  4. Click Select Project in the notification for your new project in the upper right
  1. Type "admin sdk" into the search bar and select Admin SDK API in the search results
  1. Click the Enable button and wait for the page to reload when the Admin SDK API is enabled
  2. Type "gmail" into the search bar and select Gmail API in the search results
  3. Click the Enable button and wait for the page to reload when the Gmail API is enabled
  4. Type "cloud pub/sub" into the search bar and select Cloud Pub/Sub API in the search results
  5. Click the Enable button and wait for the page to reload when the Cloud Pub/Sub API is enabled
  6. Type "oauth" into the search bar and select OAuth consent screen in the search results
  7. Under User Type, select Internal
  8. Click the Create button
  9. Under App information, provide an app name (for example, "Sublime Platform")
  10. In the User support email dropdown, select your email address or any other available email address
  11. Scroll to the bottom of the interface and under Developer contact information, enter your email address
  12. Click the Save and Continue button. You can ignore the remaining OAuth options.

2. Create a service account

  1. In the Google Cloud Platform interface, type "service accounts" into the search bar and select Service Accounts in the search results
  2. Click the Create Service Account button
  3. Add a service account name (for example, "Sublime Platform") and optionally a service account description
  4. Click the Create and Continue button
  5. Under Grant this service account access to project, click the dropdown, search for "Pub/Sub Admin" and select the matching role.
  6. Click the Done button. You can ignore the remaining service account setup options.
  7. In the service accounts list, select the service account you just created
  8. Near the bottom of the details view, click Show Domain-Wide Delegation
  9. Check the box next to Enable Google Workspace Domain-wide Delegation
  10. Add a Product name for the consent screen (for example, "Sublime Platform")
  11. Click the Save button
  12. Copy the Client ID that appears and hold on to it for use later in this guide
  13. Click the Keys tab in the horizontal tabs list
  14. Click the Add Key dropdown
  15. Select Create new key
  16. Select the JSON key type if it's not selected by default
  17. Click the Create button and hold on to the file that is saved to your computer. This is the file you'll need when setting up a Google Workspace message source.

3. Grant domain-wide delegation

  1. Sign into the Google Workspace admin interface at https://admin.google.com
  2. Click the Security tile
  3. Scroll down and click the API controls section
  4. Scroll down and click Manage Domain Wide Delegation under Domain wide delegation
  5. Click Add new
  6. Paste the Client ID you copied when configuring the service account
  7. Paste this value into the OAuth scopes field:
https://mail.google.com/,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly
  1. Click the Authorize button

Use your new service account key

When setting up a Google Workspace message source in the Sublime Dashboard, paste the contents of the service account key file you downloaded into the Service Account Key JSON field