Create a Custom Google App

Step 1: Create a New Project and Enable APIs

Refer to the instructions below to create a new project and enable APIs. Note the following:
  • If you want to use an existing project, you can directly go to Enable APIs.
  • Only the project owner can enable APIs for a project.

Create a New Project (Optional)

Follow the steps below to create a new project:
  1. Go to Google Cloud IAM.
  2. Click the current resource.
  3. Click NEW PROJECT.
  4. Complete the Project name, Organization, and Location fields.
  5. Click Create.
  6. Search for and enable APIs that are required by your services (IBM® Storage Protect for Cloud Google Workspace).
  7. Click the API that you want to enable, and then click ENABLE.

Enable APIs

Follow the steps below to enable Google APIs:
  1. Go to the Google Cloud Console.
  2. Click the current resource to expand the projects list, and then select the project you want to use.
    Note: The user that can enable APIs for a project must be the project owner.
  3. Click ENABLE APIS AND SERVICES.
  4. The API library page appears.

Step 2: Create OAuth Credentials

To create the service account, first make sure your organization has turned off the policies that disable service account creation. Note the following:
  • If your organization has turned off the Disable service account creation, Disable service account key creation, and Disable service account key upload policies, you can proceed to Service Account Creation.
  • If your organization is a newly created Google tenant or you are not sure about the policy’s status, first see how to Turn off Policy for Disable Service Account Key Creation, then you can proceed with the Service Account Creation.
Turn off the Policies that Disable Service Account Creation

Before creating a service account, make sure the policy Disable service account creation, Disable service account key creation, and Disable service account key upload policies are turned off. You can refer to the steps below to turn off the policies:

  1. If you are required to have the Organization Policy Administrator role to MANAGE POLICY, refer to the instructions below to add the Organization Policy Administrator role:
    1. Go to Google Cloud IAM.
    2. In the resource list, select the organization of the project where you want to create the service account.
    3. Refer to the following instructions based on your scenario:
      • If you want to add a new principal, click GRANT ACCESS. In the panel of granting access, enter your account in the New principals field, select the Organization Policy Administrator role from the Role drop-down list, and click SAVE.
      • If you want to edit an existing principal, click the Edit principal () button next to the principal. In the panel of editing access, click ADD ANOTHER ROLE, select the Organization Policy Administrator role from the Role drop-down list, and click SAVE.
  2. Go to IAM-Organization Policies.
  3. In the resource list, select the project where you create the service account.
  4. From Disable service account creation, Disable service account key creation, and Disable service account key upload policies, click the policy that you want to turn off.
  5. After you click a policy, the policy details page appears, and you can follow the steps below to turn off a policy:
    1. Click MANAGE POLICY.
    2. Select Override parent's policy to set a unique policy for this project.
    3. Click ADD A RULE to add a new rule.
    4. Select Off to disable the enforcement of the new rule, and click DONE.
    5. Click SET POLICY.
Service Account Creation

Follow the instructions below to create a service account and a client ID:

Service Account Creation

Refer to the steps below to create a service account and a client ID:
  1. Navigate to APIs & Services > Credentials.
  2. Click CREATE CREDENTIALS and select Service account.
  3. Enter a service account name and a service account ID. Then, click DONE.
  4. Click the service account, and then click the KEYS tab.
  5. Click ADD KEY, and then click Create new key.
  6. Select the JSON key type and click CREATE. The downloaded file contains important information for the configuration in the following steps, and you must store the file securely as it can’t be recovered if lost.

Step 3: Configure Scopes

You can refer to the instructions below to configure scopes:
  1. Go to Google Admin console, and then navigate to Security > Access and data control > API controls.
  2. Click MANAGE DOMAIN WIDE DELEGATION.
  3. Click Add new.
  4. Add the client ID and OAuth scopes. After you finish the configuration, click AUTHORIZE.
Note the following:
  • To get the client ID, you can open the private key file (downloaded in Step 2: Create OAuth Credentials > Service Account Creation), or go to the Credentials page.
  • The configured scopes should be the same as the scopes added to the app. You can add required permission scopes to a custom Google app by referring to IBM Storage Protect for Cloud Google Workspace.

After you finish configuring scopes for the custom Google app, go to IBM Storage Protect for Cloud and navigate to Management > App management to create an app profile and consent to the custom Google app. For more details, refer to the Consent to Custom Apps section.