This page describes how to enable the data collection of G Suite Google Groups for processing by Forseti Inventory.
To enable collection of G Suite Google Groups, follow the steps below to create a service account just for this functionality. Read more about domain-wide delegation.
Note: If you used the setup wizard to setup Forseti, it already creates a G Suite service account. You can go directly to the next section.
Go to Cloud Platform Console Service Accounts and click Create service account.
On the Create service account dialog that appears, set up your service account:
If you haven’t already configured your project’s OAuth consent screen, enter a product name to display on the consent screen, then click Create. To change the product name or add details to the consent screen later, edit your OAuth consent screen settings.
To create and download a JSON key for the service account:
On the service account row, click View Client ID.
On the Client ID for Service account client panel that appears, copy the Client ID value, which will be a large number.
You must have the super admin role in admin.google.com to complete these steps:
After you create a service account above, you may need to edit the following variables
domain_super_admin_email: Use of the Admin API requires delegation (impersonation). Enter an email address of a Super Admin in the GSuite account. If you entered this value in the setup wizard, you do not need to change this in your
groups_service_account_key_file: Forseti Inventory uses this path to locate the key file which you downloaded earlier. If you deployed with the setup wizard, this value is already pre-populated for you.
If you are running Forseti on GCP and made any changes to the above values, you will need to copy the conf file to the GCS bucket. See “Move Configuration to GCS” for details on how to do this.
If you created a deployment on GCP, run the following command to copy your G Suite key to your Forseti instance:
gcloud compute scp local/path/to/service-account-key.json \ ubuntu@FORSETI_GCE_INSTANCE_NAME:/home/ubuntu/gsuite_key.json
Note the remote destination of where you put the key on the VM instance. It
should match what you specified in your forseti_conf.yaml for the