This page describes how to enable the data collection of G Suite for processing by Forseti Inventory.
To complete this guide and enable a service account in your G Suite admin control panel, you must have the super admin role in admin.google.com.
To enable collection of G Suite data using your existing Forseti service account, follow the steps below. Read more about domain-wide delegation.
Go to the Google Cloud Platform (GCP) Console
Service accounts
page for the Forseti project and follow the instructions under section To enable G Suite domain-wide delegation, follow these steps:
to enable domain-wide delegation on the Forseti server service account.
Follow the instructions here to grant the Forseti service account the following scopes:
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings
To collect G Suite data, set the gsuite_admin_email
variable to the G Suite
administrator email address in your main.tf
.
When you’re finished making changes:
terraform plan
to see the infrastructure plan.terraform apply
to apply the infrastructure build.Moving configuration to Cloud Storage.
Below are the common errors for G Suite configurations and the steps to be taken to resolve the errors.
You can find what errors have happened by running forseti inventory list|get
,
or look at the inventory_index_errors
column in the inventory_index
table.
If you make any changes to the main.tf
, be sure run command terraform apply
to apply the infrastructure build.
Error:
('invalid_grant: Invalid email or User ID', u'{"error" : "invalid_grant", "error_description" : "Invalid email or User ID"}')
Solution:
Double-check the email provided to the gsuite_admin_email
variable in your
main.tf
. Make sure there is no typo and the user exists. If you are making
any changes to the main.tf
, be sure run command terraform apply
to apply the infrastructure build.
Error:
GCP API Error: unable to get groups from GCP:
<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups?customer=C04h01n68&alt=json returned "Not Authorized to access this resource/api">
Solution:
Make sure you set the gsuite_admin_email
variable to the G Suite
administrator email address in your main.tf
.
Error:
('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', u'{"error" : "unauthorized_client", "error_description" : "Client is unauthorized to retrieve access tokens using this method."}')
Solution: Make sure you entered the correct API scope(s) in the GSuite admin console.
Error:
No GSuite data and no relevant gsuite error reported by
forseti inventory list|get
or in inventory_index_errors
column in the
inventory_index
table.
Solution: Make sure DwD is enabled for the server service account.
Error:
Error calling the IAM signBytes API: {
"error": {
"code": 403,
"message": "Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/forseti-server-gcp-xxxxxx@xyz.iam.gserviceaccount.com.",
"status": "PERMISSION_DENIED"
}
}
Solution:
Make sure roles/iam.serviceAccountTokenCreator
is granted to the server
service account.