MyEmailVault Docs

Appearance

Google Workspace

This guide walks you through connecting a Google Workspace domain to MyEmailVault using a service account with domain-wide delegation. This allows MyEmailVault to archive emails for all users in your organization.

The setup consists of three parts:

  1. Create a Google Cloud project, enable APIs, and generate a service account key.
  2. Grant domain-wide delegation in the Google Admin Console.
  3. Connect the service account in MyEmailVault.

Part 1: Google Cloud Console Setup

1.1 Create a Project

  1. Go to the Google Cloud Console.
  2. Click the project selector at the top of the page and click New Project.
  3. Enter a project name (e.g., "MyEmailVault") and click Create.
  4. Select the newly created project from the project selector.

1.2 Enable Required APIs

  1. Navigate to APIs & Services > Library.
  2. Search for and enable the following APIs:
    • Gmail API
    • Admin SDK API

1.3 Create a Service Account

  1. Navigate to APIs & Services > Credentials.
  2. Click Create Credentials and select Service Account.
  3. Enter a name (e.g., "MyEmailVault Service Account") and click Create and Continue.
  4. You may skip the optional "Grant this service account access to project" and "Grant users access to this service account" steps. Click Done.

1.4 Generate a JSON Key

  1. On the Credentials page, click on the service account you just created.
  2. Go to the Keys tab.
  3. Click Add Key > Create New Key.
  4. Select JSON and click Create.
  5. The JSON key file will be downloaded to your computer. Keep this file secure -- it grants access to your organization's email.

Troubleshooting: Key Creation Disabled

If you see an error such as iam.disableServiceAccountKeyCreation, your organization has an Organization Policy that blocks service account key creation.

To resolve this:

  1. Go to the Organization Policies page in the Google Cloud Console.
  2. Search for iam.disableServiceAccountKeyCreation.
  3. Click on the policy, then click Manage Policy.
  4. Click Override parent's policy.
  5. Under Rules, click Add Rule.
  6. Set Enforcement to Off and click Done, then Set Policy.
  7. Return to your service account and try creating the key again.
  8. After downloading the key, you may re-enable the policy for security.

Part 2: Domain-Wide Delegation in Google Admin Console

2.1 Get the Service Account Client ID

  1. In the Google Cloud Console, go to IAM & Admin > Service Accounts.
  2. Click on your service account.
  3. Copy the Unique ID (also called the Client ID). This is a numeric string (e.g., 123456789012345678901).

2.2 Enable Domain-Wide Delegation

  1. On the same service account details page, check the box Enable Google Workspace Domain-wide Delegation if it is not already enabled. If this option is not visible, expand the Show Advanced Settings section.

2.3 Authorize Scopes in the Admin Console

  1. Go to the Google Admin Console.
  2. Navigate to Security > Access and data control > API Controls.
  3. Click Manage Domain Wide Delegation.
  4. Click Add new.
  5. In the Client ID field, paste the service account Client ID from the previous step.
  6. In the OAuth Scopes field, enter the following scopes (comma-separated):
https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
  1. Click Authorize.

Part 3: Connect in MyEmailVault

3.1 Create an Ingestion Source

  1. In MyEmailVault, navigate to Ingestions and click Create New.
  2. Select Google Workspace as the provider.
  3. Enter a descriptive Name for this source (e.g., "Company Google Workspace").

3.2 Upload the Service Account Key

Upload or paste the contents of the JSON key file you downloaded in Part 1.

3.3 Enter the Admin Email

Enter the email address of a Google Workspace admin user. The service account will impersonate this user to list the users in your domain. This should be a super admin or an account with the necessary privileges to read the directory.

3.4 Save

Click Save to create the ingestion source.

What Happens Next

After saving, MyEmailVault will:

  1. Authenticate using the service account credentials.
  2. List all users in your Google Workspace domain.
  3. Begin importing emails from each user's mailbox.

The source status will show Importing during the initial bulk import. Once complete, it will transition to Active and MyEmailVault will continuously sync new emails as they arrive.

You can monitor import progress on the Ingestions page. Individual user mailboxes within the source will each show their own sync status.