This document is a portion of the README file from Miyako's 4d-tips-google-service-account
The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario you need a service account, which is an account that belongs to your application instead of to an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved.
- Login to Google API Console with an admin account
- Navigate to IAM and admin
- Select Service accounts
- Select or create a project
-
Create a new service account
- Service account name:
(any) - Service account ID:
(any, will auto-fill) - Click Create
- Service account name:
-
Choose the role
- Project->Owner
-
Click Continue
- Click Create Key
- Choose the key options
- Key type: JSON
- Click Create
-
Store the
jsonfile locally (you will never be able to generate it again) -
Navigate to APIs & Services
-
Click ENABLE APIS AND SERVICES
-
Find the necessary SDK
- For example, to use the Directory API to manage users, find Admin SDK
- Enable the SDK
-
If you are not going to use one of the API's that require an API Key (such as Calendar), you can skip this step. Otherwise, to create an API KEY
-
Select "Create Credentials"
-
Choose "API Key"
-
Copy the key (the upper button).
-
If you wish to increase security, click "Restrict Key" (optional)
-
The restrictions screen has a number of options
For example, if you choose to restrict the key to only certain API's, you can choose them from a menu.
-
Delegate your app to act on behalf of any user in your domain
- Login to Google Admin Console with an admin account
- Select Security
- Select API Controls->Domain-Wide Delegation
-
Click Add New
- Register the necessary scopes
- Client Name: either the service account or the client ID
- Enter the API scopes to grant. Note they are comma-delimited here You will need these later. For example, to use the Directory API to manage users, register the following:
https://apps-apis.google.com/a/feeds/domain/,https://www.googleapis.com/auth/admin.directory.user
Your key should remain private. If you are using version control, such as git, you should keep the key out of your repository so that you do not accidentally share it. One way to do this is to put it in a private folder that will not be included in your repository.
- In the Resources folder for your project, add a folder called Private
- In your .gitignore file for your project, add the follwing line:
Resources/Private - Put your key into that folder
- Check the updates to your repository to make sure that your key does not appear in the list of added/updated files.