Google Workspace Requirements
Before registering Google Workspace as a source and performing backup and Recover operations, ensure that the following prerequisites are met:
- Google Workspace administrator access to the Google Cloud Console and Google Workspace Admin console.
- Google Cloud service account with a generated JSON key file for source registration.
- Required Google APIs enabled, including Gmail API, Google Drive API, and Admin SDK API.
- Domain wide delegation enabled for the service account.
- OAuth scopes authorized for user and group discovery, backup operations, and Recover operations for Gmail and Google Drive.
Service Account and API Configuration
To enable Cloud Protection Service to access Google Workspace data, you must configure a service account in Google Cloud and grant it the required permissions.
Complete the following tasks in the Google Cloud Console:
-
Create a service account and generate a JSON key file.
This JSON file is required during Google Workspace source registration.
-
Enable the required Google APIs for Google Workspace protection:
- Gmail API
- Google Drive API
- Admin SDK API
Domain Wide Delegation
Grant domain wide delegation to the service account to allow access to user data across the Google Workspace domain. Google Workspace protection uses OAuth 2.0 authentication and requires delegated access to perform discovery, backup, and Recover operations.
OAuth Scopes
Authorize the following OAuth scopes for the service account based on the operations you want to perform.
Scopes Required for User and Group Refresh
These scopes are required to discover users and groups and to keep directory information up to date.
| OAuth Scope | Purpose |
|---|---|
| https://www.googleapis.com/auth/admin.directory.user.readonly | Retrieve user information for discovery and refresh |
| https://www.googleapis.com/auth/admin.directory.group.readonly | Retrieve group information for discovery and refresh |
Scopes Required for Google Drive Backup
These scopes are required to back up Google Drive data.
| OAuth Scope | Purpose |
|---|---|
| https://www.googleapis.com/auth/drive.readonly | Read Google Drive files and folders during backup |
| https://www.googleapis.com/auth/drive.scripts | Access Drive related scripts required for backup workflows |
Additional Scopes Required for Google Drive Recover
These scopes are required to Recover Google Drive data.
| OAuth Scope | Purpose |
|---|---|
| https://www.googleapis.com/auth/drive | Recover files and folders to Google Drive |
| https://www.googleapis.com/auth/script.projects | Execute script based operations required during Recover |
Scopes Required for Gmail Backup
These scopes are required to back up Gmail data.
| OAuth Scope | Purpose |
|---|---|
| https://www.googleapis.com/auth/gmail.readonly | Read Gmail messages and metadata during backup |
Additional Scopes Required for Gmail Recover
These scopes are required to Recover Gmail data.
| OAuth Scope | Purpose |
|---|---|
| https://www.googleapis.com/auth/gmail.modify | Recover Gmail messages and apply mailbox changes |
After completing these prerequisites, you can register Google Workspace as a source in Cloud Protection Service and configure backup and Recover operations for supported Google Workspace workloads.
