Google Workspace (G Suite) Admin Configuration for Migration

Grant Domain-Wide Delegation in Google Admin Console

This step authorizes the Service Account to access Google Workspace data at the domain level.

• Open the Google Admin Console and log in using your Super Administrator account.
• Navigate to ‘Security’ > ‘Access and data control’ > ‘API Controls’.

  

• Click on ‘Manage Domain Wide Delegation’.

  

• Click on ‘Add New’ and paste the Client ID copied from Google Cloud.

  

• In the OAuth Scopes field, enter the following scopes
  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/calendar.readonly
  • https://www.googleapis.com/auth/tasks.readonly
  • https://www.googleapis.com/auth/contacts.readonly

  

• Click ‘Authorize’, then ‘Save’.

  The Service Account is now approved to access Google Workspace data based on the defined permissions.

Download the JSON Key

• Go back to Google Cloud Console.
• Navigate to ‘IAM & Admin’ → ‘Service Accounts’ and click your service account.

  

• Click on ‘Manage Domain Wide Delegation’.

  

• Go to the ‘Keys’ tab and click ‘Add Key’ > ‘Create New Key’.

  

• Select ‘JSON’ and click ‘Create’.

  

• The JSON key file will download automatically.

    Note: This JSON file contains the private key required for secure authentication. It must be uploaded or configured in EdbMails to establish API connectivity.

Why JSON Key Creation Is Blocked?

If JSON key creation is restricted for any account (including administrators or owners), it is typically enforced by the following organization policies in Google Cloud:

• iam.managed.disableServiceAccountKeyCreation
• iam.disableServiceAccountKeyCreation

When these policies are enabled, no one can create service account JSON keys.

How to Allow JSON Key Creation?

To permit JSON key creation:

• The above mentioned policies must be explicitly disabled (set to inactive)
• The change must be made at the organization level

When these policies are enabled, no one can create service account JSON keys.

Required Permissions:

You need the Organization Policy Administrator role to:

• View organization policies
• Update or disable constraints
• Manage policy settings across the organization

Steps to assign the Organization Policy Administrator role:

• Login to the Google cloud console with the owner account, then navigate to IAM & Admin → IAM.
• Navigate to ‘IAM & Admin’ → ‘Service Accounts’ and click your service account.

  

• In the Assign Roles field, search for and select Organization Policy Administrator, then click Save to apply the changes.

  

• Select the project, then navigate to IAM & Admin → Organization Policies.
• Set the following policies to inactive:
  • iam.managed.disableServiceAccountKeyCreation
  • iam.disableServiceAccountKeyCreation

  

• Click on ‘Manage Policy’.

  

• Select the Override parent’s policy option, then click on Add a rule.

  

• Keep Enforcement set to Off, then click Done.

  

• Click on Set Policy.

  

• Follow the same steps to set iam.disableServiceAccountKeyCreation to inactive as well.
• Allow 5–10 minutes for the changes to take effect, then download the generated JSON key for use in the EdbMails application.