Google Workspace Setup

Updated
  • Updated on Oct 25, 2025
  • Published on Jan 2, 2025
  • 3 minute(s) read
  • nT
 Prev Next

Overview

A Google Workspace integration with Grip allows Grip to pull in email, sign-in, and additional data from a Google Workspace tenant. Once integrated, Grip will kick off a discovery process to ingest this data, providing insight into SaaS usage in your organization.
This guide describes, step-by-step, how to set up the integration.

This article also covers the required permissions and flow in order to integrate Google Workspace with Grip's SSPM module.

Prerequisites

Administrator account for the Google Workspace tenant undergoing integration.

Setup Process

Step 1 – Create a project

  1. Go to Google Cloud Console.

  2. On the top bar click the project selector.

  1. In the dialog box that pops up, click New Project.

  1. Complete the form as follows:

    • Project name: Grip Security Project

    • Organization: <An organization of your choice>

    • Location: <Location of your choice>

Note: You can leave the Organization and Location fields with their default values

  1. Click Create.

  2. Click the project selector again, and select the newly created Grip Security Project.

  1. After creating the project, go to the Dashboard view, and make sure that the newly created Grip Security Project is selected. Write down the Project ID value that appears in the top left widget.

Step 2 – Create a service account

  1. Go to Service Accounts.
    Ensure you are still on the Grip Security Project, using the project selector widget at the top of the screen.

  2. Click Create Service Account.

  1. Complete the form as follows:

    • Service account name: Grip Security Service Account

    • Service account ID: <Leave the default value as is>

    • Service account description: <Enter your own description, if necessary>

  2. Click CREATE AND CONTINUE, and then click DONE.

  1. Copy the Service account email and the OAuth 2 Client ID, as you will need them at a later stage.

  2. Click on the 3-dots icon under the  Actions  column of the new service account and click Manage keys.

  1. Click ADD KEY, and in the dropdown menu, select Upload existing key.

  1. Paste or upload the public key file provided by Grip and click UPLOAD.

  2. Write down the Key ID of the newly created key.

Step 3 – Delegate permissions

  1. Go to Google Workspace Admin’s Domain Wide Delegation Settings, and click Add New.

  2. Complete the form as follows:

    • Client ID: Paste the OAuth2 Client ID you wrote down earlier

    • Overwrite existing client ID: Leave unchecked

    • OAuth scopes: Paste the following comma delimited list:

For Google Workspace Discovery

https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly

For both Google Workspace Discovery and SSPM

https://www.googleapis.com/auth/cloud-platform.read-only,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/cloud-identity.policies.readonly

  1. Click Authorize.

  1. Enable the Gmail API, Admin SDK API , and Service Usage API by clicking the ENABLE button in each.
    Ensure the Grip Security Project is selected in the project selector at the top of the screen.


For Google Workspace SSPM permissions, enable the “Groups Settings API” & "Cloud Identity."

Note:

To use the Google API’s domain-wide delegation feature, Grip requires the email address of the administrator who provided those delegated permissions for the domain.

What’s next? 

Securely send Grip the details you wrote down while setting up the integration:

  • Key ID

  • Project ID

  • Service account email

  • OAuth2 Client ID / Unique ID

  • Email address of the GW administrator account (Required for domain-wide delegated scopes in Google Workspace API)

Appendix for Google Workspace SSPM integration

Additionally, to complete the Google Workspace posture SSPM integration with Grip, you will need to get the Customer ID.

Get the Customer ID from admin.google.com, under “Account” >> “Account Settings

Connecting Grip portal

From the Grip portal, go to “Posture” >> “Add Tenant”>> “Google Workspace” >> “Add Tenant

Populate the required fields:

Field Name

Description and Source

Display Name

Provide a friendly display name for the Tenant

Tenant ID (Customer ID)

Get the Customer ID from admin.google.com, under “Account” >> “Account Settings”>>״Customer ID””

Project ID

console.cloud.google.com » Project selector > Copy the ID of the Grip Project

Client Email & Client ID

console.cloud.google.com » IAM & Admin » Service Account » Choose the discovery service account

  • Copy the Email to Client Email

  • Copy OAuth2 Client ID > Client ID

Domain Admin

The email address of the domain admin

  • Click “Add Tenant”.

The Tenant will be added to the “Connected Tenants” list

Once the integration is connected, you will be able to see and filter your policy statuses, assess your security posture, and begin fixing it.

Note.

The policies will be synced and updated on a daily basis.

However, when first connecting the integration, we recommend clicking the “Sync Policies Status” button to perform an immediate sync (a few minutes).

Related articles