Overview

To authenticate with Google Service Account, you need:
  1. Service Account Email Address – The unique email assigned to your service account.
  2. Private Key – The private key generated when creating a service account key.
  3. Scopes – A space-separated list of Google API scopes that your application should have access to.
  4. Delegated Access Email Address (optional) – The user’s email address that the service account should impersonate when domain-wide delegation is enabled.
This guide will walk you through creating and obtaining your Service Account credentials in Google Cloud.

Prerequisites

Instructions

Step 1: Create a Service Account

  1. Go to the Service Accounts page.
  2. Select an existing project, or create a new one.
  1. Click + Create Service Account.
  1. Fill in all the required information, then click Create and continue.
  2. (Optional) Assign Permissions and Principals with access.
  3. Click Done.
  4. From your Service accounts list, you can obtain your Service Account Email Address in the Email column.

Step 2: Generate a Service Account Key

  1. From the Service accounts page, click the Email address of the service account you created.
  2. Navigate to the Keys tab.
  3. Click Add keyCreate new key.
  1. Select JSON format and click Create.
  2. A .json key file will be downloaded to your machine. Store it securely — this file contains your Private Key.
⚠️ Google does not keep a copy of the private key. If you lose it, you’ll need to generate a new one.

Step 3: Delegate Domain-Wide Authority (optional for Google Workspace)

If your application needs to act on behalf of users in your domain (e.g. read all users’ calendars), you must enable domain-wide delegation:
  1. From your Google Workspace Admin console, go to Main menu > Security > Access and data control > API Controls.
  2. Under Domain-wide delegation, click Manage Domain Wide Delegation.
  3. Click Add new.
  4. Enter the Client ID of your service account (from the Service Accounts page).
  5. In OAuth scopes, enter the list of scopes you want to grant, for example: if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
  6. Click Authorize.
Your application now has the authority to make API calls on behalf of users in your Workspace domain (impersonating them). You can specify the user to impersonate explicitly in the Delegated Access Email Address field.

Step 4: Finding your application’s scopes

Ensure you enable the API library you want access to, then you can find a list of scopes at OAuth 2.0 Scopes for Google APIs. This should be a space-separated list.

Step 5: Enter credentials in the Connect UI

Once you have all the required credentials:
  1. Open the form to authenticate with Google Service Account.
  2. Enter your credentials in their respective fields.
  3. Submit the form, and you should be successfully authenticated.
You are now connected to Google Service Account.