Set Up Google Drive Connector

GCP Service Account Setup

1. Go to Manage resources at console.cloud.google.com, click the project dropdown, and select New Project.

2. Enter project details — name it amberise-drive-connector and select your organization. Click Create.

3. Go to Service Accounts. Open IAM & Admin → Service Accounts and click + Create service account.

4. Create the service account. Name it amber-drive-indexer, click Create and continue, then Done (no roles or user grants needed).

   

5. Note two values from the service account’s Details tab:

   • The email (e.g. amber-drive-indexer@<project>.iam.gserviceaccount.com)

   • The numeric Unique ID (also shown as Client ID under Advanced settings)

6. Enable APIs. In APIs & Services → Library, search for each API by name and click Enable.

   Required:

   • Admin SDK API (admin.googleapis.com)

   • Cloud Resource Manager API (cloudresourcemanager.googleapis.com)

   • Service Usage API (serviceusage.googleapis.com)

   • Google Drive API (drive.googleapis.com)

   • Google Docs API (docs.googleapis.com)

   • Google Sheets API (sheets.googleapis.com)

   Optional — for Gmail / Google Calendar integration:

   • Gmail API (gmail.googleapis.com)

   • Google Calendar API (calendar-json.googleapis.com)

   

7. Manage Keys. Open the Keys tab on the service account and click Add key → Create new key.

8. Save the JSON key. Select JSON and click Create. A JSON file downloads automatically.

   

Connect Google Drive to amber

Required permissions for setup

The setup user must be a Google Workspace super-admin, or have a custom admin role with these privileges:

• Security → API controls

• Security → Access and data control → Domain-wide delegation

Add API scopes

Go to the Domain-wide Delegation section in the Google Admin Console (Security → Access and data control → API controls → Manage Domain Wide Delegation). You’ll need to be signed in as a super-admin.

Click Add new and paste the service account’s Unique ID (from Phase 1) into the Client ID field.

Note: if the service account is already registered for domain-wide delegation with another scope set, click Edit on the existing client ID and add the scopes below instead of creating a new entry.

Copy and paste the following into the OAuth scopes (comma-delimited) field and then click Authorize:

https://www.googleapis.com/auth/drive.readonly

(Optional) Also add the following to the list above if you would like to enable group-based sharing in search results:

https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly

Pick the indexing user

1. Choose a Workspace user (e.g. admin@your-domain.com). Their email is the Subject email.

2. Grant the indexing account access to everything amber should index (e.g. add it as a member of each Drive, share relevant files with it).

Create the OAuth client

1. Configure the consent screen at Google Auth Platform → Branding:

   • App name: ambeRise

   • User support email: your admin email

   • Audience: Internal

   • Developer contact: your admin email

   Under Data Access, add the scopes openid, userinfo.email, userinfo.profile.

   

2. Create the client at APIs & Services → Credentials → + Create credentials → OAuth client ID:

   • Application type: Web application

   • Name: ambeRise

   • Authorized redirect URIs: https://<your-amberise-host>/api/auth/google_drive/callback

   

3. Click Create and download the JSON

Send credentials to Amber support

1. Service Account JSON

2. Subject email

3. Client ID and Client Secret JSON

4. Workspace Domain — e.g. your-domain.com