Skip to main content

Set Up and Connect a Google Service Account

Service accounts are a special account type designed to be leveraged by another application (like Tonkean) or machine instead of a person. In place of passwords, service accounts rely on public/private RSA key pairs for authentication.

Whenever possible, we recommend you connect a Google service account to Tonkean instead of a user account when connecting a Google Workspace application like Sheets or Drive. Using a standard user account can pose security risks, cause you to bump into timeout errors due to a limit in the number of connections, and could create problems if the associated user leaves your organization.

To connect a Google Workspace application using a service account, you must create a service account in Google Cloud, then select the service account option when connecting the application in Tonkean.

Create a Service Account

If you don't already have a service account, you must create one.

  1. Navigate to Google Cloud and sign in to the account for your organization.

  2. Select Console to open the Google Cloud Console.

    console_select.png
  3. Follow the directions for creating a service account.

    Note that the only required fields are Service account name and Service account ID. Sections #2 and #3 in the image below are not required by Tonkean:

    service_account_reqd_fields.png

Generate a Key

Once you have a service account, generate the private key you can use to connect the account to Tonkean.

  1. Navigate to the Service accounts screen in the Google Cloud Console.

  2. Select the service account you want to connect to Tonkean.

    keys_service_account_select.png
  3. Select the Keys tab. The Keys tab displays.

    keys_select_keys_tab.png
  4. Select ADD KEY, then select Create new key. The Create private key for "{service account}" window displays.

    keys_add_key_create_key.png
  5. Ensure the Key type is set to JSON and select Create. A confirmation message displays and a JSON file downloads to your computer.

    keys_create_json_keys.png
  6. Save the JSON file somewhere you can access it later. This file contains the secret key required to authenticate with Tonkean.

    You won't be able to generate this same key again.

Add a Google Workspace Application Data Source

With the dedicated service account and relevant secret key, you can add a Google Workspace application data source in Tonkean.

  1. In Tonkean, select the main nav icon, grid.png, in the upper left and select Enterprise Components. The Enterprise Components screen displays.

  2. Select + New Data Source in the upper right.

    connect_data_sources_add_data_source.png
  3. Select Cloud Application. The Add New Data Source window displays.

    add_cloud_application.png
  4. Enter "Google" in the search field and select the application you want to add as a data source. The New {Data Source} Connection window displays.

    serv_acct_google_sheets_connect.png
  5. Select Create a new connection. The Set Up Data Source window displays.

    serv_accts_create_new_connection.png
  6. Select the Service Account option. The JSON credentials field displays.

    serv_acct_service_account_option.png
  7. Copy the entire JSON object in the JSON file downloaded from Google Cloud and paste it into the JSON credentials field. When finished, select Connect.

    serv_acct_paste_credentials.png

    If the connection is successful, a success message displays and you can begin configuring your data source.

Share Files with the Service Account

To make files like Drive folders or Sheets spreadsheets available to monitor, you must share those files with the service account in the same way you would share them with a Google Workspace user.

  1. In your Google Cloud account, navigate to IAM & Admin > Service Accounts > {Your service account} > DETAILS tab and locate the email address for the service account. The email should display in the following format: {service-account-name}@{project0name}.iam.gserviceaccount.com.

  2. In your Google Workspace instance, identify the files and folders you want the service account to have access to and select Share, enter the service account email address in the space provided, then make the service account an Editor.

    The service account can now access any shared files.