Overview
A Google Workspace integration with Grip allows Grip to pull in email, sign-in, and additional data from a Google Workspace tenant. Once integrated, Grip will kick off a discovery process to ingest this data, providing insight into SaaS usage in your organization.
This guide describes, step-by-step, how to set up the integration.
This article also covers the required permissions and flow in order to integrate Google Workspace with Grip's SSPM module.
Prerequisites
Administrator account for the Google Workspace tenant undergoing integration.
Setup Process
Step 1 – Create a project
Go to Google Cloud Console.
On the top bar click the project selector.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
In the dialog box that pops up, click New Project.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
complete the form as follows:
Project name: Grip Security Project
Organization: <An organization of your choice>
Location: <Location of your choice>
Note: You can leave the Organization and Location fields with their default values
Click Create.
Click the project selector again, and select the newly created Grip Security Project.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
After creating the project, go to the Dashboard view, and make sure that the newly created Grip Security Project is selected. Write down the Project ID value that appears in the top left widget.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Step 2 – Create a service account
Go to Service Accounts.
Ensure you are still on the Grip Security Project, using the project selector widget at the top of the screen.Click Create Service Account.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Complete the form as follows:
Service account name: Grip Security Service Account
Service account ID: <Leave the default value as is>
Service account description: <Enter your own description, if necessary>
Click CREATE AND CONTINUE, and then click DONE.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Copy the Service account email and the OAuth 2 Client ID, as you will need them at a later stage.
Click on the 3-dots icon under the Actions column of the new service account and click Manage keys.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Click ADD KEY, and in the dropdown menu, select Upload existing key.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Paste or upload the public key file provided by Grip and click UPLOAD.
Write down the Key ID of the newly created key.
Step 3 – Delegate permissions
Go to Google Workspace Admin’s Domain Wide Delegation Settings, and click Add New.
Complete the form as follows:
Client ID: Paste the OAuth2 Client ID you wrote down earlier
Overwrite existing client ID: Leave unchecked
OAuth scopes: Paste the following comma delimited list:
For Google Workspace Discovery
https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.group.readonlyFor both Google Workspace Discovery and SSPM
https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/cloud-identity.policies.readonlyClick Authorize.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Enable the Gmail API, Admin SDK API , and Service Usage API by clicking the ENABLE button in each.
Ensure the Grip Security Project is selected in the project selector at the top of the screen.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
For Google Workspace SSPM permissions, enable the “Groups Settings API” & "Cloud Identity."
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Note:
To use the Google API’s domain-wide delegation feature, Grip requires the email address of the administrator who provided those delegated permissions for the domain.
What’s next?
Securely send Grip the details you wrote down while setting up the integration:
Key ID
Project ID
Service account email
OAuth2 Client ID / Unique ID
Email address of the GW administrator account (Required for domain-wide delegated scopes in Google Workspace API)
Appendix for Google Workspace SSPM integration
Additionally, to complete the Google Workspace posture SSPM integration with Grip, you will need to get the Customer ID.
Get the Customer ID from admin.google.com, under “Account” >> “Account Settings”
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Connecting Grip portal
From the Grip portal, go to “Posture” >> “Add Tenant”>> “Google Workspace” >> “Add Tenant”
Populate the required fields:
Display name – Provide a friendly display name for the Tenant
Tenant ID - Grip customer ID
Project ID – Copied from the previous steps
Client Email - The Service account email
Client ID and Domain Admin – Are the Email address of the Google Workspace administrator account
Click on “Add Tenant”.
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
The Tenant will be added to the “Connected Tenants” list
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)
Once the integration is connected, you will be able to see and filter your policy statuses, assess your security posture, and begin fixing it.
Note.
The policies will be synced and updated on a daily basis.
However, when first connecting the integration, we recommend clicking the “Sync Policies Status” button to perform an immediate sync (a few minutes).
.png?sv=2022-11-02&spr=https&st=2025-06-10T03%3A58%3A42Z&se=2025-06-10T04%3A10%3A42Z&sr=c&sp=r&sig=8g%2B3AXciouJhRCXpb78alzamOecPCJxg0Vg3ERsQfYA%3D)