Service Account Configuration for Remote Password Resets of Google Workspace Accounts

PAM360 supports remote password resets of Google Workspace accounts within your Google Workspace domain using a service account. To enable this, you should set up a service account within a project in your Google Workspace domain and configure it to execute password resets. When a password reset operation for a Google Workspace user account is triggered in PAM360, the service account resets the password of the selected Google Workspace account. Therefore, before configuring the remote password reset operation for a Google Workspace account in PAM360, you must set up and configure a service account on the Google Cloud Platform (GCP) Console.

This document details the necessary steps to be followed on the GCP console for the successful execution of remote password reset operations for Google Workspace user accounts in your domain.

  1. Service Account Configuration
  2. Managing Domain-Wide Delegation for Service Account
  3. Enabling Admin SDK API

1. Service Account Configuration

This process involves creating a new project (if required), setting up a service account within the project, assigning the necessary roles and permissions for the service account to access the project, and generating a service account key file. Follow these steps meticulously to ensure proper implementation of the intended functionality.

  1. Go to the Google Cloud Console and log in as Google Workspace administrator.
  2. Select/create a project
    1. On the Google Cloud Console home page, click the project dropdown in the navigation bar.
    2. In the Select a resource window, choose the desired project where you wish to create the service account.
    3. If you do not have an existing project, click the New Project option in the top-right corner of the window to create a new project.
  3. Create a service account
    1. Click the hamburger icon to open the Navigation menu.
    2. Navigate to IAM & Admin >> Service Accounts and click the + CREATE SERVICE ACCOUNT option.
    3. On the Create service account page, enter a name and description for the service account. The service account ID and email address will be auto-generated based on the provided service account name.
    4. Click Create and Continue to proceed to the next step.
    5. To grant this service account access to the project, click the Select a role drop-down menu, select Basic >> Editor, and click Continue.
    6. Once the policy is updated, click Done to complete the service account creation procedure.
  4. Generate the service account key file
    1. On the Service accounts page, click the newly created service account and switch to the Keys tab.
    2. In the Keys tab, click Add Key >> Create new key.
    3. In the Create private key window, select the key type as JSON and click Create to download the service account key file to your machine.

You have successfully created and configured a service account in your Google Workspace domain and downloaded the service account key file from the Google Cloud Console. This service account key file should be imported into PAM360 as a resource of resource type Filestore while configuring remote password reset for the Google Workspace accounts.

2. Managing Domain-Wide Delegation for Service Account

To access or modify user data within your Google Workspace domain, you need to grant necessary-scopes and privileges to the service account. This involves delegating domain-wide authority to the service account to execute password reset operations successfully. Follow the steps detailed below to delegate domain wide authority to the service account:

  1. Go to the Google Workspace Admin Console and log in as Google Workspace administrator.
  2. Click the hamburger icon on the top-left corner of the screen to open the Main menu.
  3. From the main menu, navigate to Security >> Access and data control >> API controls.
  4. On the API controls page, click the MANAGE DOMAIN-WIDE DELEGATION option under the settings pane.
    1. Click Add new to add a new client.
    2. In the Add a new client ID window, enter the client ID of the created service account and the OAuth scopes on the respective fields. Enter the OAuth scope as https://www.googleapis.com/auth/admin.directory.user
    3. Click Authorize.

You have successfully delegated domain-wide authority to the service account, allowing it to access and modify user data within your Google Workspace domain.

3. Enabling Admin SDK API

PAM360 utilizes a set of APIs provided by Google to trigger the password reset operation for the selected Google Workspace accounts. When the user performs the operation on the PAM360 interface, PAM360 uses an API call to trigger the remote password reset operation. This is made possible by enabling the Admin SDK API on the GCC. Follow these steps to enable the Admin SDK API for the selected project:

  1. Go to the Google Cloud Console and ensure you are logged in as the Google Workplace administrator.
  2. Click the hamburger icon to open the Navigation Menu.
  3. From the Navigation menu, go to APIs and Services >> Library.
  4. In the API Library page, select the desired project and use the search function to find the Admin SDK API.
  5. On the Admin SDK API page, click the Enable button to enable the Admin SDK API.

You have successfully enabled the Admin SDK API for your Google Workspace account.

Note: PAM360 will no longer support the Verify Password option for the Google Workspace resources.
Top