Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Allowing additional API scopes for sources

Introduction

For certain workflows to work within Secure & Govern, admins may need to enable additional privileges and API scopes for service accounts used to connect to Content Sources.

Google Drive / Google Workspace

The information in this article applies to organizations that use Secure & Govern and have added Google Drive as a content source

Customers who added Google Drive as a source may see that an error is reported for Google Drive sources, and attempting to re-connect the source may continue to yield errors.

The error appears as a connection error in the Content Sources section of Secure & Govern:

2021-03-16_15-37-12.png

Opening the source details will show a message that indicates credentials need to be updated:

2021-03-16_15-15-50.png

Upon attempting to update credentials, the following error is encountered:

mceclip0.png

 

The error occurs because of the additional scope required by the underlying Google Service account to enable Permission Browsing capabilities for Google Drive in Secure & Govern. The specific additional OAuth scope required is https://www.googleapis.com/auth/admin.directory.group.readonly and is used for reading group information from Google's directory.

If this is the case, following the steps below will ensure that you can reconnect Google Drive as a source with the required API scopes.

Doing this will not require content in Google that has already been classified (i.e., classification progress will be resumed from where it halted).


Steps to reconnect Google Drive as a source

To proceed, you must ensure you have access to a super admin account in Google Workspace and enough privileges to view and manage Content Sources in Egnyte Secure & Govern.


If you don't recall the details of the service account used to connect Google Drive as a source, follow the steps below to set up another service account with added OAuth privileges

  1. Follow steps 1-11 from the guide linked below.
    Add Google Drive as a source.

    Step 12 in the linked guide is not required as you are simply going to reconnect the existing Google Drive source instead of adding a new source. Be sure to take note of the email from step 4 and the P12 private key that is downloaded during step 6

  2. Log in to your Egnyte Secure & Govern Dashboard, select Settings, open the Content Sources tab and select your Google Drive source to open the source details view. Click on Remote Cloud Administrator (shown in the screenshot below) to trigger re-authentication and enter the information below:
    - Service account email: Email from step 4 in the guide
    - Service account user: Email address of your Google Workspace super admin account
    - File with private key: Select the P12 private key that downloaded during step 6 in the guide
    mceclip2.png

  3. You should be able to successfully authenticate with the information provided. If you cannot connect to Google Drive despite following the steps described, please reach out to Egnyte support at support@egnyte.com.


If you recall the details of the service account used to connect Google Drive as the source, follow the steps below to increase OAuth scopes for the existing service account

  1. Navigate to IAM & Admin > Service Accounts. Click the email address of the service account you originally created and take note of the Email and Unique ID - you will need to enter this when you re-authenticate with Google Drive.

    mceclip0.png

  2. If you have the original P12 Key created for this service account, you can skip this step. Otherwise, choose EDIT at the top of the Service account details screen if you're not already in edit mode. Click ADD KEY > Create a new key. Choose the option to create a P12 key. A key will be downloaded to your machine that will be used in a later step.

  3. Sign in to the G Suite admin console as a super admin and navigate to Security > API Controls and choose the option to MANAGE DOMAIN WIDE DELEGATION, and select the option to Add new

    mceclip1.png


  4. Add an entry with the client id set to the Unique ID of the service account from step 1 and set OAuth Scopes to the following value and click AUTHORIZE (you may also edit the existing entry you already created and replace the Oauth Scopes with the list below):
    https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly

    After this, you should see the client in the list of API Clients:

    mceclip2.png
    mceclip4.png


  5. Log in to your Egnyte Secure & Govern Dashboard, select Settings, open the Content Sources tab and select your Google Drive source to open the source details view. Click on Remote Cloud Administrator (shown in the screenshot below) to trigger re-authentication and enter the information below:
    - Service account email: Email from step 1
    - Service account user: Email address of your Google Workspace super admin account
    - File with private key: Select the P12 private key (either the original one created or the new one created in step 2).

    mceclip2.png


  6. You should be able to successfully authenticate with the information provided. If you cannot connect to Google Drive despite following the steps described, please reach out to Egnyte support at support@egnyte.com.

 

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.