Service Account Configuration for Remote Password Resets of Google Workspace Accounts

Password Manager Pro supports remote password resets for Google Workspace accounts within your domain using a service account. To enable this functionality, you need to set up a service account within a project in your Google Workspace domain and configure it to perform password resets. When a password reset operation is triggered for a Google Workspace user account in Password Manager Pro, the service account performs the password reset for the selected accounts. Therefore, before configuring the remote password reset operation for a Google Workspace account in Password Manager Pro, you must set up and configure a service account on the Google Cloud Platform (GCP) Console.

This document details the necessary steps to be followed on the GCP console for the successful execution of remote password reset operations for Google Workspace user accounts in your domain.

  1. Service Account Configuration
  2. Managing Domain-Wide Delegation for Service Account
  3. Enabling Admin SDK API

1. Service Account Configuration

This process involves creating a new project if required, setting up a service account within the project, assigning the necessary roles and permissions for the service account to access the project, and generating a service account key file. Follow these steps meticulously to ensure proper implementation of the intended functionality.

  1. Go to the Google Cloud Console and log in as Google Workspace administrator.
  2. Select or create a project
    1. On the Google Cloud Console home page, click the project dropdown in the navigation bar.
    2. In the Select a resource window, choose the desired project where you want to create the service account.
    3. If you do not have an existing project, click the New Project option in the top-right corner of the window to create a new project.
  3. Create a service account
    1. Click the menu icon to open the Navigation menu.
    2. Navigate to IAM & Admin >> Service Accounts and click the + Create Service Account option.
    3. On the Create service account page, enter a name and description for the service account. The service account ID and email address will be auto-generated based on the provided service account name.
    4. Click Create and Continue to proceed to the next step.
    5. To grant this service account access to the project, click the Select a role drop-down menu, select Basic >> Editor, and click Continue.
    6. Once the policy is updated, click Done to complete the service account creation procedure.
  4. Generate the service account key file
    1. On the Service accounts page, click the newly created service account and switch to the Keys tab.
    2. In the Keys tab, click Add Key >> Create new key.
    3. In the Create private key window, select the key type as JSON and click Create to download the service account key file to your machine.

You have successfully created and configured a service account in your Google Workspace domain and downloaded the service account key file from the Google Cloud Console. This service account key file should be imported into Password Manager Pro as a resource of resource type Filestore while configuring remote password reset for the Google Workspace accounts.

2. Managing Domain-Wide Delegation for Service Account

To access or modify user data within your Google Workspace domain, you need to grant necessary-scopes and privileges to the service account. This involves delegating domain-wide authority to the service account to execute password reset operations successfully. Follow the steps detailed below to delegate domain-wide authority to the service account:

  1. Go to the Google Workspace Admin Console and log in as Google Workspace administrator.
  2. Click the menu icon on the top-left corner of the screen to open the Main menu.
  3. From the main menu, navigate to Security >> Access and data control >> API controls.
  4. On the API controls page, click the MANAGE DOMAIN-WIDE DELEGATION option under the settings pane.
    1. Click Add new to add a new client.
    2. In the Add a new client ID window, enter the client ID of the created service account and the OAuth scopes on the respective fields. Enter the OAuth scope as https://www.googleapis.com/auth/admin.directory.user
    3. Click Authorise.

You have successfully delegated domain-wide authority to the service account, allowing it to access and modify user data within your Google Workspace domain.

3. Enabling Admin SDK API

Password Manager Pro uses a set of APIs provided by Google to perform remote password resets for selected Google Workspace accounts. When a user initiates a password reset from the Password Manager Pro interface, the application makes an API call to trigger the operation. This functionality requires the Admin SDK API to be enabled on the Google Cloud Console. Follow the steps below to enable the Admin SDK API for the selected project:

  1. Go to the Google Cloud Console and ensure you are logged in as the Google Workplace administrator.
  2. Click the menu icon to open the Navigation Menu.
  3. From the Navigation menu, go to APIs and Services >> Library.
  4. In the API Library page, select the desired project and use the search function to find the Admin SDK API.
  5. On the Admin SDK API page, click the Enable button to enable the Admin SDK API.

You have successfully enabled the Admin SDK API for your Google Workspace account.

Note: Password Manager Pro will no longer support the Verify Password option for the Google Workspace resources.
Top