Typically Runs From: Managed Cloud Agent
Is Auto-Discovered By: N/A
Can Auto-Discover: Google G Suite Child Inspectors (Google Partners)
Parent/Child Type Inspector: Yes
Data Summary: Here
The first portion of the Inspector setup process takes place in the Google Cloud Platform. The following steps will run through creating a new project for the Inspector, enabling the required APIs, creating a service account, and adding all required IAM roles.
To get started, log in to the Google Cloud Platform console using an account with super administrator privileges in the Google G Suite organization you're trying to inspect
Under the project drop-down menu, to the left of the Google Cloud Platform logo, ensure that your Google G Suite organization/account is selected under Organization
Select "New Project"
- Fill out the project details:
Project Name: (Suggested) Liongard G Suite Inspector
Organization: Your Parent organization
Location: Parent organization
- In your left sidebar, select APIs & Services > Library
Search for the following APIs, select them, and then select Enable to activate them:
- Admin SDK
- Enterprise License Manager API
- Google Apps Reseller API
- Next, in the left sidebar, select IAM & admin > Service accounts. Here, select + Create Service Account
Fill out Create Service Account details:
- Service account Name: (Suggested) Liongard G Suite Inspector User
- Service account ID: auto-filled
- Service account description: (Optional)
Once done, select Create.
- On the Service account permissions (optional) page, grant the following IAM roles to your service account using the Select a role drop-down menu:
- Service Account User
- Service Account Token Creator
Once done, select Continue.
- Skip the Grant users access to this service account (optional) section. In the Create key (optional) section, select + Create Key
Under Key type, ensure that JSON is selected, and select Create. This will download a file.
- Keep this file handy, as the Inspector will need this to authenticate with Google's APIs
Lost Key File
If you lost your Key file, in the left sidebar navigate to Service Accounts. To the right of the Service account created for the Liongard G Suite Inspector, select the three-dot Actions menu, and select Create key. Again, ensure that JSON is selected, and select Create.
- Once done, select the three-dot Actions menu > Edit
- Copy your Unique ID, as the Inspector will need this to authenticate with Google's APIs
Also here, select the drop down Show Domain-Wide Delegation, and select the checkbox to Enable G Suite Domain-wide Delegation.
You will be prompted to configure an OAuth consent screen. Fill in the details for the consent screen:
- Product name for the consent screen: (Suggested) Liongard G Suite Inspector
- Email address: (Auto-populated) If you would like to change this, select Configure Consent Screen > select Internal > select Create. Edit these fields as needed, and select Save.
Your service account has now been assigned a client.
Once you've completed the steps above, navigate to the G Suite Admin console and log into your G Suite account as a domain administrator
Navigate to Security from the list of visible controls
Here, select Advanced settings > Manage API client access.
- Fill out the Manage API client access fields:
- Client Name: Enter the Unique ID copied from the Google Cloud Platform portion of the setup process
- One of More API Scopes: Under copy and paste the comma-delimited list of API scopes below
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user.alias.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.userschema.readonly, https://www.googleapis.com/auth/admin.directory.customer.readonly, https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly, https://www.googleapis.com/auth/apps.order.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/calendar.events.readonly, https://www.googleapis.com/auth/calendar.settings.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/apps.licensing
Select Authorize to grant the listed API scopes on your Google G Suite account to the application you created.
Since G Suite is a multi-tenant system where a single portal is used to manage many Environments, you will set up a single "Parent" Inspector that will then auto-discover "Child" Inspectors for each Environment.
In Roar, navigate to Admin > Inspectors > Navigate to the Google G Suite Inspector > Add System.
Fill in the following information:
- Environment: Select the Environment this System should be associated to
- Friendly Name: Suggested "[Environment Name] G Suite"
- Agent: Select Cloud-Linux
- G Suite Admin Email: Email of a Domain Administrator on the Google G Suite account to be inspected under G Suite Admin Email
- Private Key: The entire contents of the Service Account Secret Key file you created during the Google Cloud Platform (GCP) portion of the setup process
- Enable Google G Suite Reseller API: If you're enrolled as a Google G Suite Authorized Reseller, select this option to enable auto-discovery
- Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
- Inspector Version: Latest
Select Save. The Inspector will now be triggered to run within the minute.
After the first run of the Parent Inspector, your client G Suite organizations will be Auto-Discovered in the Discovered Systems tab on the Inspectors > G Suite page.
Navigate to the Discovered Systems tab in your Inspectors > G Suite page
- Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints
This section documents some common errors you may run into and how to resolve them.
- Error Message: "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
- Potential Cause/Resolution: This error generally indicates that your client (application) isn't sufficiently authorized to perform some action in Google Cloud Platform.
Check the following:
- Check that *"Domain-wide delegation" is enabled for your service account in the Google Cloud Platform console. This is included under Step #9** in the GCP portion of the setup process. For more information, reference this article from Google Cloud Platform's developer documentation
- Check that the scopes included in this document are properly entered in the G Suite Admin Console and that those scopes are associated with the Client ID of the service account you created. This is included under Step #4 in the G Suite portion of the setup process.
- Ensure that the "Service Account Token Creator" and "Service Account User" IAM roles are assigned to your service account.
- Does the G Suite Parent Inspector return data?
Yes, the G Suite Parent Inspector does return data.
Last Updated: 2020-05-07
Updated 3 months ago