Service Account authentication offers better service continuity for the Google Workspace Sync. You will need a Google Cloud project with a service account in order to use this method.
Creating a Google Cloud Project
You will need a Google Cloud project to create a service account. You can skip this part if you already have a project you can use.
Open Manage Resources page in the Google Cloud Console
Click Create Project
Enter a Project name and then click Create
The project will take a few moment to provision, the console will notify you once it's ready. It should appear under Manage Resources if you refresh the page. Failing clicking Google Cloud at the top of page will take to your welcome page. A dropdown should appear where you can select your new project.
You will need to enable the Admin SDK API on this project to use it with the sync.
Go to APIs and Services > Enable APIs and Services and then click Enable APIs and Services at the top of the page.
Enter "Admin SDK" into the search field and select Admin SDK API from the results.
Click Enable to enable this API on the project.
Creating a Service Account
You will need to create a service account if you do not have one already.
Go to IAM and Admin > Service Accounts
Click Create Service Account at the top
Enter a Service Account Name and then click Create and Continue
Click Done to complete the process
Make a note of the service account's Unique ID, you'll need it later on.
A key is required to set up the sync's service account authentication. You can create one by:
Select the service account you wish to use
Click on the Keys tab
Click Add Key and select Create new key
Select JSON and click Create
This will save a JSON to your computer containing your service account. You will need this later on.
Setting Up Domain-wide Delegation
The service account will need domain-wide delegation of authority for the scopes covered by the sync so it can use the service account to access the Google Directory API.
Open the Google Admin Console
Go to Security > Access and Data Control > API Controls
Scroll to the Domain-wide delegation section and click Manage Domain-wide delegation
Click Add new next to API Clients
Enter the Client ID for your service account - This is the service account's Unique ID, you will need to get it from the Google Cloud Console
Add the scopes listed below under OAuth Scopes and click Authorise
oAuth Scopes Required
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
Using your Service Account for Sync Authentication
You now have everything you need to set up service authentication for the Google Workspace Sync. Head to the Google Workspace settings page in the app to get started.
Click Sign with Google to open your authentication options
Select Service Account and click Continue
Enter a Delegated User Email - This should be the email of a user with roles/privileges necessary to run the sync. You can find out more about the admin rights required here.
You will also need to provide the JSON key you created on your service earlier. Click on Click to upload credentials to upload the file.
Click Continue to save your authentication settings.
You will then be offered the option to further configure your sync.
Please note that your authentication settings are not verified as part of this process. There is a chance the credentials you've provided may fail. Please complete configuration to run a test sync to confirm that authentication is working as expected. Please contact our support team if you have any issues.