# Google Drive Integration Setup Guide

### Getting Started <a href="#h_01hapy879ty3py49tw9x5vscvc" id="h_01hapy879ty3py49tw9x5vscvc"></a>

#### Requirements: <a href="#h_01hq2v114hak2tv851571ja3vz" id="h_01hq2v114hak2tv851571ja3vz"></a>

| Field                      | What it is                                                                                                                                                                                                        |
| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Domain                     | Your Google Workspace primary domain (e.g. `customer.com`)                                                                                                                                                        |
| Delegate Email             | A Google Workspace user whose identity the service account impersonates when reading data. The user should have the necessary permissions required for the integration (recommended: dedicated Super Admin user). |
| Service Account Key (JSON) | The full service-account JSON file generated in your GCP project                                                                                                                                                  |

### Google Cloud Setup

The service account does NOT need any IAM role in your GCP project. It is used solely for the impersonation flow. The GCP project only hosts the service account and bills the API quota.

#### Log in to Google Cloud Console

Go to the Google Cloud Console and either:

* Select an existing project
* OR create a new dedicated project (recommended)

Example project name:

`balkanid-googledrive-extractor`

***

#### Enable Required APIs

Go to: **APIs & Services > Library**

Enable the following APIs:

* Google Drive API
* Admin SDK API

***

#### **Creating a service account**

1. Go to *IAM* and *Admin* → *Service Accounts.*
2. Click on **Create service account** button on the top to proceed.<br>

   <figure><img src="/files/t7VW12AflwxLtXcSEK67" alt="" width="375"><figcaption></figcaption></figure>
3. Click on the service account you just created and select the **KEYS** tab from the top.<br>

   <figure><img src="/files/5kOtxo0iEa8JwrglOj8k" alt=""><figcaption></figcaption></figure>
4. Click on **ADD KEY → Create new key.**<br>

   <figure><img src="/files/tNcqqVoK7TZJrlWHpOF0" alt="" width="375"><figcaption></figcaption></figure>
5. Select **JSON** and click on the **CREATE** button, the wizard will create a JSON file to download with the necessary key for later use.

#### Configure the Delegate User

The service account will impersonate this user when reading Google Workspace data.

#### Option A Super Admin (Recommended)

Go to: **Admin Console > Directory > Users > \[delegate user] > Admin roles and privileges**

Assign:

* Super Admin

This is the recommended setup because it provides implicit visibility across all Shared Drives.

#### Option B Custom Admin Role (Least Privilege)

For security-conscious deployments, you may instead create a custom admin role with the following permissions:

#### Required Permissions

* Users > Read
* Groups > Read
* Group Members > Read
* Drive and Docs > Settings

> **Important:**\
> If using a custom role, the delegate user MUST be explicitly added to every Shared Drive that should be crawled.
>
> Shared Drives where the delegate user is not a member will be skipped by the Google Drive API.
>
> Using Super Admin avoids this limitation.

#### Add Domain Wide Delegation

1. You need to add domain delegation scopes to the service account, first get the OAuth 2 client ID from the Service account.
2. Go to *IAM* and *Admin* → *Service Accounts* and copy the OAuth 2 Client ID of the service account you just created.<br>

   <figure><img src="/files/hJzMROLQd9r29wf8Pfn5" alt=""><figcaption></figcaption></figure>
3. Go to [*Security* -> *API Controls* -> *Domain-wide delegation*](https://admin.google.com/u/1/ac/owl/domainwidedelegation) of your [Google Workspace](https://admin.google.com/).
4. Find the domain-wide delegation section and click on **MANAGE**.<br>

   <figure><img src="/files/uZdLdpo6syzyNo3BfsTn" alt="" width="563"><figcaption></figcaption></figure>
5. Enter the copied client ID and add the following OAuth scopes.

   ```
   https://www.googleapis.com/auth/admin.directory.user.readonly,
   https://www.googleapis.com/auth/admin.directory.group.readonly,
   https://www.googleapis.com/auth/admin.directory.group.member.readonly,
   https://www.googleapis.com/auth/drive.readonly
   ```

   <br>

   <figure><img src="/files/3A95UwAv7ldaxUVt9QJK" alt="" width="375"><figcaption></figcaption></figure>
6. For more info please refer: <https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority>&#x20;

### Configure Google Drive on BalkanID Tenant <a href="#h_01hapy879ty3py49tw9x5vscvc" id="h_01hapy879ty3py49tw9x5vscvc"></a>

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.
2. Head to *Integrations* > **Add Integration**, select Google Drive<br>

   <figure><img src="/files/3q2C00J9PMgDDtIEyGrx" alt=""><figcaption></figcaption></figure>

   <figure><img src="/files/sAfCnrlEegWI5mZTXTSQ" alt=""><figcaption></figcaption></figure>
3. Set up the *Primary Application owner (mandatory)* and the *Description*, if any. Set up Secondary Application Owner(s), if any. <br>

   Select the Extraction Type. From here, you can configure your application using one of the following methods:

   1. **Direct integration** - Provide your Service Account Key(in JSON), Email of delegate, Domain and Project ID obtained above to set up a direct connection with BalkanID.
   2. **SCIM integration** - Provide SCIM server credentials to set up a SCIM connection with BalkanID.&#x20;
   3. **Manual file upload** - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this. &#x20;
   4. **Automated upload using API -** You can upload data using our [Bulk APIs](https://developer.balkan.id/) with the help of an API key which will be provided to you. Please refer to the [entity](https://developer.balkan.id/bulk-entities-upload-api-early-access-12828095e0) and [entity relation](https://developer.balkan.id/bulk-entity-relations-upload-api-early-access-12828102e0) upload docs for specific instructions on uploading your data through the API. \
      \
      **Note:** Use the **KEY JSON** downloaded in the 3rd step to fill in the key. Add a user’s email **with access to domain-wide delegation** in the delegated field. Fill in the domain name and the project’s ID as well.

   <figure><img src="/files/DCgGhJy9FAZwjH2PFo4i" alt=""><figcaption></figcaption></figure>
4. Click on next to move onto *Optional Configuration.*
5. Fill **Optional configuration,** if required.  <br>

   <figure><img src="/files/n3fAOw97aIUGKB2l30BK" alt="" width="563"><figcaption></figcaption></figure>
6. Once you filled in the information, click **Save**. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the *Integrations* page. When data is available, the integration Status will read **Connected** and the integration Message will read **Data available**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/google-drive-integration-setup-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.