To authorise the synchronisation with Google Workspace, you will need a Google account with the following Admin API Privileges:
Users - Read
Groups - Read
Organisational Units - Read
The Super Admin role includes all of the above as do a combination of the User Management and Groups Admin roles. Alternatively you could create an Admin Role specifically for the sync covering the privileges specified and assign that to the authorising user.
Please note that the above also applies with Service Account authentication as you will have to provide a Delegated User Email. This is the email address of the user that the Service Account will impersonate when accessing the Google Directory API and will not work without sufficient privileges/roles assigned.