-
Notifications
You must be signed in to change notification settings - Fork 473
CreatingClientSecretsFile
To use GAM, you need to create your own client_secrets.json and oauth2service.json files. These give you your own personal quota of API requests.
This step requires a domain super-admin account or an account with delegated Security rights
-
In the domain's Admin Console, go to the
Security
section, then click onAPI reference
-
If API access is not already enabled:
- Click to check the box for
Enable API access
- Click the
Save
button
- Click to check the box for
-
Login to a Google account. The account does not need to be in your G Suite domain or have any special rights.
- Go to this link to start. This link will begin the project creation process, and specifies the APIs that must be included in the project.
- Verify that
Create a new project
is selected - Click the
Continue
button - Within a few seconds, your project will be created and the screen will display a confirmation message. On the confirmation screen, verify that all of the required APIs listed below are included. (Other APIs may also be enabled. You may ignore them.)
Required APIs:
-
Admin SDK
-
Apps Activity API
-
Contacts API
-
Enterprise License Manager API
-
Gmail API
-
Google Calendar API
-
Google Classroom API (Google for Education domains only)
-
Google Drive API
-
Google+ API
-
Groups Settings API
- Click on
Go to credentials
.
- Click on
- By default, the new project will be named
My Project
or something similar. The project should be renamed so that you will know that it is a GAM project. - Near the top right of the screen, click on the project selection menu (The menu may be labeled
Go to project
or may be the name of a specific project).
- A list of all active projects will be displayed. Find the line for the project just created. At the far right of that line, click on the pencil icon to re-name the project.
- choose a name that is meaningful to you and identifies the project as a GAM project.
- Create client_secrets.json
- Make sure you're at the API Manager
- in the left side menu, click on
Credentials
- in the top menu, click on
OAuth consent screen
- enter a Product name. It can be the same project name that you used previously
- Make sure you're at the API Manager
- at the bottom of the screen, click
Save
- On the next screen, in the center of the screen, click on
Create credentials
and chooseOAuth client ID
- on the next screen, change the
Application type
toOther
, enter a name, and clickCreate
.
- click the
Save
button.- in the pop-up confirmation window, click
OK
. You do not need to record the client ID or client secret - on the next screen, you will see a section labeled
OAuth 2.0 client IDs
. The client you just created will be listed. TheType
column will sayOther
. - at the far right of the line, click the download button.
- save the file to the same folder as GAM.exe or GAM.py and rename the file to
client_secrets.json
.
- in the pop-up confirmation window, click
- create oauth2service.json
- near the top left of the screen, click on the
Create credentials
button and selectService account key
- under the label
Service account
, click the menu and selectNew service account
. - enter a name for the service account. It can be the same name as the project.
- select the
JSON
key type - click the
Create
button
- when it says your service account has no role, just click "Create without a role".
- a file download will start automatically. Save the file to the same folder as GAM.exe or GAM.py and rename the file to
oauth2service.json
. Note the message that says this is your only chance to save this key. You will not ever get another opportunity to download it, and if you lose the file, you'll need to generate a new key. The "Download JSON" button this page does not download the same type of file.
- in the pop-up dialog, click
Close
- near the top left of the screen, click on the
- There are now two sections in the screen -
OAuth 2.0 client IDs
andService account keys
. At the far right of theService account keys
section, click onManage service accounts
.
- on the next screen, find the line with the name of the service account you just created. At the far right of that line, click on the 3-dots button and select
Edit
.
Click the 3-line menu in upper left corner, then "IAM & Admin", then "Service accounts".
- in the pop-up dialog, check the box to
Enable G Suite Domain-wide Delegation
and then clickSave
.
- in the top left corner of the screen, click on the card-stack menu button, then click on
API Manager
, then click onCredentials
.
- in the main part of the screen, the section labeled
OAuth 2.0 client IDs
now has two lines: one for the OAuth2 client (Other
) and one for theService account client
. The column to the far right lists the Client ID for each client. These Client IDs will be used in the next step.
- In this step, you will switch between the Developer's console and the domain's Admin console. To access the Admin console, you must use an account with domain super-admin account or an account with delegated Security rights. The Developer's console window must be logged in to the account in which the project was created. These can be the same account or different accounts.
- Authorize scopes for the service account
- in the
OAuth 2.0 Client IDs
section, click and drag to select the Service Account's client ID and copy it (Control/Command-C). The client ID is a long string of numbers and/or letters (but is not the same client ID as the OAuth client ID).
- in the
- in another browser window or tab, login to G Suite using a domain super-admin account
- go to the G Suite Admin Console
- click the
Security
icon
- in the Admin Console, go to the Security section, click on
Show more
, thenAdvanced settings
, thenManage API client access
- near the top of the screen, paste the Client ID into the field labeled
Client Name
- Select the entire list of Service Account API scopes below, copy it (Control/Command-C) and paste it into the field labeled
One or More API Scopes
on the Admin Console screen - click the
Authorize
button
- in the list of projects and scopes, the OAuth2 Client ID will appear in the left column and the list of API scopes will appear in the right column
- near the top of the screen, paste the Client ID into the field labeled
https://mail.google.com/,
https://sites.google.com/feeds,
https://www.google.com/m8/feeds,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://www.googleapis.com/auth/plus.login,
https://www.googleapis.com/auth/plus.me,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/userinfo.profile,
- open a command line window and navigate to the file gam.exe or gam.py
- If you are running on a headless system (e.g. ssh'd to a server) then create a file called nobrowser.txt (e.g.
touch nobrowser.txt
) - run the command
gam oauth create
- the configuration options will be displayed. Most API scopes will be selected by default.
1. There is a limit to the number of API scopes that a project can have active. If you need the services provided by one of the unselected APIs you must disable one of the other APIs (type its number and press
Enter
) and then selecting the required API (type its number and pressEnter
). 1. Choose the last option in the list (Continue
): type its option number and pressEnter
.
- a browser window will open to display the confirmation screen.
- if the computer that you are running GAM on does not have a web browser, you can use a browser on another computer to complete this step. On the other computer, enter the goo.gl short URL that is displayed in the command line window
- if you are replacing existing client_secrets.json and oauth2service.json files, it may be necessary to remove or rename your existing oauth2.txt file for the goo.gl short URL to be displayed
- scroll to the bottom of the list of permissions and click
Allow
- the web page will report that the authentication flow has completed.
- in the command line window, the GAM command will complete, and you will see information about the G Suite domain
- if the computer that you are running GAM on does not have a web browser, you can use a browser on another computer to complete this step. On the other computer, enter the goo.gl short URL that is displayed in the command line window
If you access the web via a Proxy is may be necessary to set a Proxy in GAM, to do so:
set http_proxy=http://1.2.3.4:8080
set https_proxy=http://1.2.3.4:8080
Obviously you need to set your proxy to the correct IP address that you use. The above 1.2.3.4 and port 8080 is for example purposes. Credit for this to Craig Box
gam oauth request
GAM is now ready for use.
From time to time, Google changes one or more of the tools used in this process. Some of the steps may change, or what you see on the screen may differ from what is shown here. Please post a comment in the discussion forum if you find an outdated or incorrect instruction (or just fix it - anyone can edit the wiki).
If you are having trouble getting GAM to work, be sure to check these things.
You can de-authorize and re-authorize GAM's oauth status using the following commands:
De-Authorize
gam oauth revoke
Authorize
gam oauth create
Ensure all scopes "PASS". If scopes "FAIL", follow the instructions.
gam user \<user email\> check serviceaccount
It should be noted that the Authorized API clients are shared among all users of the domain, so deleting "unknown" clients may lock your co-worker out!
Need more help? Ask on the GAM Discussion Group
GAM Basics
GAM Tutorials
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- Group Settings
- Data Transfers
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Managing Custom User Schemas
- User Email Settings
- User Security Settings
- Managing Classroom
- Managing Devices
- Chrome Policy Settings
- Chrome Browser Management
- Calendar Settings
- Unmanaged Users and Invitations
- Google Drive Management
- Inbound SSO Settings
- Managing Admins
- Domain Verification
- Printers
- Managing Product Licenses
- Context Aware Access levels
- Managing Organizations
- OAuth Authentication Related Commands
- Vault / Takeout Commands
- Bulk Operations
GAM Command Reference
Resources
- Questions? Visit the GAM Discussion Forum
- How to run GAM on Chromebooks / Chrome OS and Android devices.
- Setting up GAM on Google Cloud Platform (GCP)
- Running GAM on Google Compute Engine (GCE) VMs Securly
- Using GAM with a Delegated Admin Service Account (DASA)
- Use a YubiKey for Service Account Authentication
- Verify a GAM Install is Official and Legimate