1. Docs
  2. Configure (latest)
Edit this page

G Suite

This page describes how to enable the data collection of G Suite for processing by Forseti Inventory.

Before you begin

To complete this guide and enable a service account in your G Suite admin control panel, you must have the super admin role in admin.google.com.

Enable Domain-wide Delegation (DwD) in G Suite

To enable collection of G Suite data using your existing Forseti service account, follow the steps below. Read more about domain-wide delegation.

Enable DwD on the Forseti server service account

Go to the Google Cloud Platform (GCP) Console Service accounts page for the Forseti project and follow the instructions under section To enable G Suite domain-wide delegation, follow these steps: to enable domain-wide delegation on the Forseti server service account.

Delegate domain-wide authority to the Forseti server service account

Follow the instructions here to grant the Forseti service account the following scopes:

https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings

Configuring Forseti to collect G Suite data

To collect G Suite data, set the gsuite_admin_email variable to the G Suite administrator email address in your main.tf.

When you’re finished making changes:

  • Run command terraform plan to see the infrastructure plan.
  • Run command terraform apply to apply the infrastructure build.

Moving configuration to Cloud Storage.

Troubleshooting

Below are the common errors for G Suite configurations and the steps to be taken to resolve the errors.

You can find what errors have happened by running forseti inventory list|get, or look at the inventory_index_errors column in the inventory_index table.

If you make any changes to the main.tf, be sure run command terraform apply to apply the infrastructure build.

Error:

('invalid_grant: Invalid email or User ID', u'{"error" : "invalid_grant", "error_description" : "Invalid email or User ID"}')

Solution: Double-check the email provided to the gsuite_admin_email variable in your main.tf. Make sure there is no typo and the user exists. If you are making any changes to the main.tf, be sure run command terraform apply to apply the infrastructure build.

Error:

GCP API Error: unable to get groups from GCP:
<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups?customer=C04h01n68&alt=json returned "Not Authorized to access this resource/api">

Solution: Make sure you set the gsuite_admin_email variable to the G Suite administrator email address in your main.tf.

Error:

('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', u'{"error" : "unauthorized_client", "error_description" : "Client is unauthorized to retrieve access tokens using this method."}')

Solution: Make sure you entered the correct API scope(s) in the GSuite admin console.

Error:

No GSuite data and no relevant gsuite error reported by forseti inventory list|get or in inventory_index_errors column in the inventory_index table.

Solution: Make sure DwD is enabled for the server service account.

Error:

Error calling the IAM signBytes API: {
  "error": {
    "code": 403,
    "message": "Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/forseti-server-gcp-xxxxxx@xyz.iam.gserviceaccount.com.",
    "status": "PERMISSION_DENIED"
  }
}

Solution: Make sure roles/iam.serviceAccountTokenCreator is granted to the server service account.