Skip to main content

Internal Knowledge - Google Workspace Admin-Managed Setup

Updated over a month ago

To connect your Google Workspace to ChatGPT using admin-managed setup, you'll first configure access in Google’s admin consoles:

  • Create a service account with read-only access to Google Drive, users, and groups.

  • Create an admin account that the service account will act on behalf of.

Then, complete the setup in the ChatGPT admin console:

  • Upload the service account’s private key (a JSON file from Google)

  • Specify the admin account (no credentials required).

  • Select which files to sync and choose the users who will have access to the connection.

This guide walks through each of these 6 steps.

Setting up a Service Account

  1. Navigate to console.cloud.google.com and click on the projects drop down:

  2. Choose New Project

  3. Input a Project Name

  4. Create the project

  5. Wait until the project has been created, then click on Select Project

  6. Click on APIs & Services

  7. Click on Library

  8. We’re now going to add three APIs, using the search box to find them

  9. Search for and choose Google Drive API

  10. Click Enable

  11. Click on Library

  12. Search for Google Drive Activity

  13. Choose Google Drive Activity API

  14. Click Enable

  15. Click on Library

  16. Search for Admin SDK API

  17. Choose Admin SDK API

  18. Click Enable

  19. Click on Credentials

  20. Click on Create Credentials

  21. Click on Service account

  22. Provide a name and description of your choice for this service account

  23. (Optional) You can assign a role - this is not required by ChatGPT.

  24. (Optional) You can grant access to the service account - this is not required by ChatGPT.

  25. Click Done.

  26. Click on the service account which has now been created.

  27. Click on keys.

  28. Click on Add Key

  29. Click on Create new key

  30. Keep the default JSON key type and click Create

    If you see an error message that says “Service account key creation is disabled” follow these steps to enable creation.

  31. Click Close. The key has now been downloaded to your computer. You will later upload this to the ChatGPT admin console.

  32. Click on details

  33. Note that the Unique ID. This will be needed in Step 42.

  34. Expand Advanced settings

  35. Scroll down and click on View Google Workspace Admin Console. The Google Workspace console will open in a new tab.

  36. Click Show more

  37. Expand the Security section

  38. Expand the Access and data controls section

  39. Click on the API controls section

  40. Click on Manage Domain Wide Delegation

  41. Click on Add new

  42. Use the Unique ID previously noted as the value for this Client ID

  43. For the OAuth scopes, refer to the following values that you need to copy and paste

Comma-delimited OAuth scopes

Explanation of scopes

https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user.alias.readonly, https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/drive.metadata.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email

  • drive.readonly & drive.metadata.readonly — to sync file content and associated metadata (ex. last modified date)

  • admin.directory.group.readonly & admin.directory.group.member.readonly — to enforce group-based permissions

  • admin.directory.user.readonly, userinfo.profile, & userinfo.email — to determine the users for whom we’re syncing files

  • admin.directory.user.alias.readonly — to handle cases where the user is granted permission via an alias

  • drive.activity.readonly — to be notified when changes occur to files


44. Click Authorize

45. Success!

Setting up the Admin Account

  1. Expand Directory

  2. Click on Users

  3. Provide a first name, last name, and primary email address of your choosing

  4. Click Add new user

  5. (Optional) Record these credentials. ChatGPT does not need these credentials.

  6. Click Done.

  7. Click on the account you just created. If it does not appear in the list, refresh the page or clear your cache and cookies and try again.

  8. Click on assign roles.

  9. Toggle on the Groups Reader, User Management Admin, and Storage Admin roles.

  10. Scroll down and click Save. The admin account has now been successfully created and configured.

Completing setup on the ChatGPT Admin Console

  1. Navigate to ChatGPT and click on the profile icon on the upper right corner of the page.

  2. Click on Manage workspace

  3. Click on Connections

  4. Click on Connect

  5. Ensure Admin-managed is selected and click on Next

  6. Type in a display name. We recommend using the name of your Google Workspace.
    Please note that we currently do not support changing the name of your connection.

  7. Click Save Draft and Continue

  8. Click Upload key. Choose the JSON file, which is the key you downloaded as part of setting up the service account.

  9. Type in the admin email address. This is the admin account you created previously.

  10. Click Save.

  11. Choose whether you want the files in all of your users’ My Drives to be included.

  12. Click Next

  13. Choose how to manage shared drives. We support the following three scenarios:

    1. If you want to include all shared drives, then choose Include by default and do not add shared drive IDs to be excluded

    2. If you want to include most shared drives, then choose Include by default and add the IDs for the shared drives you want excluded

    3. If you want to exclude most shared drives, then choose Exclude by default and add the IDs for the shared drives you want included

  14. To look up the ID for a shared drive, navigate to it in a web browser. The last portion of the URL is the shared drive ID.

    In the following example, it is `0ADvY03uUbEcQUk9PVA`'

  15. Click Next

  16. Choose which users you want to have access to the Google Drive connection.

    You can either select users individually or enable it for everyone. If enabled for everyone then new users added to the workspace will automatically be included.

  17. Click Next

  18. Click Start syncing

  19. Your Google Drive connection has now been successfully created!

Please note that, while it will start syncing immediately, it can take hours to days to complete depending on how many files were included based on your settings.

Once files added/edited in the past 30 days have finished syncing, the connector will become available to the users you enabled it for.

Enabling service account key creation

If you receive the following error, you will need to enable service account creation for this specific project:

> The organization policy constraint ‘iam.disableServiceAccountKeyCreation’ is enforced on your organization.

  1. Open up a new tab and navigate to console.cloud.google.com. Make sure the selected project is the one you’ve already selected.
    Click on the menu icon in the upper left corner.

  2. Hover over IAM & Admin

  3. Click on Organizational Policies

  4. Search for iam.disableServiceAccountKeyCreation

  5. Click on the result for constraints/iam.disableServiceAccountKeyCreation

  6. Click on the … for the row with the ID of iam.disableServiceAccountKeyCreation

  7. Click on Edit policy. If Edit policy is disabled, you’ll need to become an Organization Policy Administrator.

  8. Click on Override parent’s policy

  9. Click on Add a rule

  10. Click on Set Policy

  11. You can now create a service account key. This enablement may take several minutes to take effect.

Becoming an Organization Policy Administrator

  1. Navigate to console.cloud.google.com and click on the project/organization selector

  2. Click on your organization

  3. Click on the menu icon in the upper-left corner

  4. Hover over IAM & Admin

  5. Click on IAM

  6. Click on the pencil for your account

  7. Click on Add Another Role

  8. Search for Organization Policy Administrator

  9. Click on Organization Policy Administrator

  10. Click Save

  11. Your account now has permission to enable service account key creation. This may take several minutes to take effect.

Related Articles
Connected apps on ChatGPT
OpenAI ChatGPT SCIM Integration - FAQ
Understanding Your Ideal User Management Setup
Internal Knowledge on ChatGPT - FAQ
Internal Knowledge - Self-Service Setup
Did this answer your question?