Google Workspace

Set up Google Workspace for automated tests with TrustCloud!

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your Google Workspace account and Google Workspace users so that TrustOps can validate and generate evidence for your compliance program.

If you have previously set up your TrustOps to work with GCP, skip to the section titled: “Instructions to add Google Workspace access to your GCP Delegated Account.“

Instructions to grant TrustCloud limited access to Google Workspace metadata

1. Create a new user service account in your Google Workspace.
   This service account will be the base account from which access is delegated to TrustCloud. TrustCloud will not have the login / password credentials for this account and will not be able to log in to your Google Workspace console with this account.
2. Login to [admin.google.com](https://admin.google.com/) in your Google Workspace. 
3. Click on ‘Users’ and click on ‘Add new users’. 
4. Once the user is created,
   1. Click on the user
   2. Under Admin roles and privileges, click on Assign a role for this user.
   3. Configure this user to have a User Management Admin role.
      This account will only be used to delegate access to read specific metadata. You will explicitly grant this access below in step 5.
      An existing admin account can be used, but we recommend a separate account in order to segment user accounts from service accounts.
5. Navigate to your Google Workspace admin console. From the console, navigate to ‘Security’ and click on ‘API Controls’. Go to ‘Domain wide Delegation’. Or, click here.
   
   
6. Click on the “Add New” button.
7. Set the ‘Client ID’ to 103428701341105119087. This is the client ID for TrustCloud’s application, which you will be delegating access to.
   
   
8. Under Scopes, add the following:
   https://www.googleapis.com/auth/admin.directory.user.readonlyThis scope ONLY allows TrustCloud to audit your Google Workspace user settings in order to determine adherence to specified controls. It only allows TrustCloud to access user metadata—information about your users and their settings. It does not provide TrustCloud the ability to read any Google Workspace data—we cannot access any emails, view your Google Chat messages, or read your Google Docs. (See this document for a full list of Google Workspace scopes.
9. Click on ‘Authorize’.
10. Provide the email address from the service account created in step 1 when setting up your credentials in Trust Could. No password or other credentials are required. The email address will be used as a key to identify your GCP account, as well as to delegate the above scopes to the TrustCloud application service account. Only the above-granted scopes will be granted access to the delegated account.

Instructions to add Google Workspace access to your GCP Delegated Account

In setting up Google Workspace to work alongside GCP, you will utilize the same delegation. You can use the same service account created for your Google Workspace, or you can create a new, separate service account. Once you have your service account:

1. Navigate to your Google Workspace admin console. From the console, navigate to ‘Security and go to ‘API Controls’.  Click on ‘Domain wide Delegation’. Or, click here.
2. Find the account “TrustCloud” and click on ‘Edit’.
3. Ensure the following scope is present. If it is not, add it:
   1. https://www.googleapis.com/auth/admin.directory.user.readonly
      This scope ONLY allows TrustCloud to audit your Google Workspace user settings in order to determine adherence to specified controls. It only allows TrustCloud to access user metadata — information about your users and their settings. It does not provide TrustCloud the ability to read any Google Workspace data — we cannot access any emails, view your Google Chat messages, or read your Google Docs. (See this document for a full list of Google Workspace scopes.)
4. Click on ‘Authorize’.
5. Provide the email address from the service account created in step 1 when setting up your credentials in Trust Could. No password or other credentials are required. The email address will be used as a key to identify your GCP account and will be used to delegate the above scopes to the TrustCloud application service account. Only the above-granted scopes will be granted access to the delegated account.