Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
How to Use Scans
Scans OverviewHow to Work with ScansScan OptionsHow to Create a New Discovery or Sensitive Data ScanHow to Use the Ignore List (Ignored Locations or Ignored Matches)How to Schedule a ScanHow to Search DropboxHow to Search Google Workspace: Gmail, DriveHow to Search a File Server (Remote Search)How To Search a Snowflake DatabaseHow to Search Mongo DatabasesHow to Search OneDrive for BusinessHow To Search Exchange O365 E-mail with Modern AuthenticationHow to Search an IBM Informix DatabaseHow to Configure and Test Database Connection StringsWhat is Differential Scanning and What is it Used for?What is a Distributed Scan?
How to Use Scan Playbooks
How to Use Scan Results
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

How to Search Google Workspace: Gmail, Drive

This article provides instructions on how to configure and authenticate Google Workspace including Gmail and Google Drive (via API), as well as scan these sources using Spirion Sensitive Data Platform

Note: Google Workspace was previously known as "G Suite."

In This Article

  • Prerequisites

Google Workspace Setup

  • Step 1: Create a Project in Google Cloud Platform
  • Step 2: Create a Service Account
  • Step 3: Generate a P12 Key
  • Step 4: Record OAuth 2 Client ID
  • Step 5: Enable Domain-Wide Delegation in Google Admin Console
  • Step 6: Enable Required APIs
  • Step 7: Configure OAuth Consent Screen
  • Step 8: Add Scopes to the OAuth Consent Screen
  • Step 9: Verify Configuration 
     

Configure Google Target in Sensitive Data Platform

  • Step 1: Open the Target Configuration UI
  • Step 2: Enter Basic Target Info
  • Step 3: Choose Cloud / Google Drive as Source
  • Step 4: Provide Google Drive Service Account Details
  • Step 5: Save the Target

Prerequisites

  • You must be signed in to Google Cloud Platform (GCP) as a Super Administrator.
  • If this is your first time using Google Cloud Platform, you must accept Google’s Terms of Service.
  • Access to your organization’s Google Workspace Admin Console is required.

Google Workspace Setup

Step 1: Create a Project in Google Cloud Platform

  1. Navigate to your Google Cloud Platform (GCP) console.
  2. Select the Google domain you would like to scan. 
  3. Select “New Project” in the top right-hand corner of the box.  
  4. Enter a project name and confirm that the organization is correct. 

  5. Click Create.
  6. Once the project is created, click Select Project

Step 2: Create a Service Account

To successfully search your Google Workspace, you must create a service account to authenticate in Google Workspace.

To create a service account, do the following steps:

  1. Under your project (“Spirion”), from the left side navigation menu, go to APIs & Services → Credentials
    APIs & Services, menu, Credentials option
  2. From the Credentials page, at the top, click Create Credentials → Service Account
    Create credentials drop-down menu, Service account option
  3. Enter a name for the service account and an optional description.
    • Example: spirionsvc@spirion-438117.iam.gserviceaccount.com 
      Service account name, step 1 of create service account wizard
  4. Click Done (no additional access setup is required on the next two screens).

Step 3: Generate a P12 Key

Procedure:

  1. From the Credentials screen, click your newly created service account

  2. Select the Keys tab at the top. 

  3. Click Add Key → Create New Key.
  4. In the pop-up window "Create private key for <service account name>," choose P12 as the Key type. 

  5. Download the P12 key file and note the private key password
    • You need both later when configuring your Google Drive Target in the Sensitive Data Platform console.

Step 4: Record OAuth 2 Client ID

Procedure:

  1. Back in Credentials, click Manage Service Accounts
  2. Locate your service account and make note of the OAuth 2 Client ID
    • You’ll use this ID later when setting up API access.

Step 5: Enable Domain-Wide Delegation in Google Admin Console

Procedure:

  1. Log in to the Google Workspace Admin Console

  2. Go to Access and Data Control → API Controls (under Security).
  3. Select Manage Domain-Wide Delegation

  4. Click Add New to create a new API client. 

  5. Enter the OAuth Client ID you recorded earlier.
  6. In the OAuth Scopes section, add the following scopes (one per line): 
    https://www.googleapis.com/auth/userinfo.email 
    https://mail.google.com 
    https://www.googleapis.com/auth/admin.directory.user.readonly 
    https://www.googleapis.com/auth/drive 
    https://www.googleapis.com/auth/userinfo.profile
  7. Click AUTHORIZE. Save your changes. 

  8. Click Edit on the new API client to verify that the scopes were added correctly. 

Step 6: Enable Required APIs

Procedure:

  1. In Google Cloud, go to APIs & Services → Library.
  2. Search for and enable the following APIs: 
    • Admin SDK API
    • Google Drive API
    • Gmail API
  3. Each API should show a status of Enabled once complete. 


Step 7: Configure OAuth Consent Screen

Procedure:

  1. Under the project (“Spirion”) navigate to APIs & Services -> OAuth consent. Note: If you have not set up the Google Auth Platform you will be redirected to set it up. 

  2. Select Internal as the user type. 

  3. Fill in the following fields:
    1. App Name
    2. Support Email
    3. Ensure the correct Authorized Domain is listed.
    4. Add Developer Contact Information

  4. Click Save and Continue.

Step 8: Add Scopes to the OAuth Consent Screen

Procedure:

  1. Click Add or Remove Scopes and add the following( you will want to enter these into the manual field): 
    https://www.googleapis.com/auth/userinfo.email 
    https://www.googleapis.com/auth/userinfo.profile 
    https://www.googleapis.com/auth/admin.directory.user.readonly 
    https://www.googleapis.com/auth/drive 
    https://mail.google.com 

  2. Save your changes. 

Step 9: Verify Configuration

  • Your configuration should now display all added scopes and enabled APIs.
  • Once verified, your setup is complete — you can now connect Spirion to your Google Drive or Gmail target. ✅

Configure Google Target in Sensitive Data Platform

Before searching Google Drive, you must create a Google Drive Target in Sensitive Data Platform.

To create the target, complete the steps below:

  1. Login to Spirion Sensitive Data Platform.
  2. Select “Data Asset Inventory” from the left side navigation menu.
  3. Select “Data Assets and Targets” from the left side navigation menu.
  4. Select the “Targets” tab under the ‘Data Assets and Targets’ header at top: 

  5. Select the blue “Add Target” button in the top right corner: 

  6. Select the “Cloud Source” tile from the "Add New Target" dialog and name the Target accordingly: 

  7. Select the “Google Drive” tile from the "Select a Cloud Source to Configure" dialog: 

  8. Fill in the following fields: 

    • Admin User Account Name – Enter your Google User (often a G Suite/Google Workspace admin) account (it can be the same as the Super Administrator used in the Google Workspace Setup, above)
    • Service Account Email or Unique ID – The email address of your service account.
      • Example: my-service@project.iam.gserviceaccount.com.
      • If you cannot find it or have closed out of it on accident, go back Google Workspace and navigate to “Managed Service Accounts” to recover it.
    • Key Data File – Load the file .p12 key file that was saved in in the Google Workspace Setup, above.
    • Key Data File Password – The password that was generated/shown when you created the .p12 key.
    • Private Key ID – See step 24 of “G Suite Side Authentication” section above
    • Project ID – See step 7 of “G Suite Side Authentication” section above
  9. Once entered select the “Save” button below to complete the authentication.
  10. If issues arise in completing this authentication, an error is thrown.
  11. Please document the error received and contact Spirion Support (or Professional Services, if currently engaged).

Create a Scan to Search Google Drive

After the Admin Account is authenticated during the creation of the Google Drive “target”, you then need to create a scan to initialize the search:

  1. Log-in to Spirion Sensitive Data Platform.
  2. Select “Scans” from the left side vertical menu.
  3. Select "All Scans" from the left side vertical menu.
  4. Select the blue “Add Scan” button in the top right-hand corner: 

  5. Provide a Title to the scan (for example, Google Drive) and select “Next”.
  6. Select “Sensitive Data Scan”.
  7. Select an existing playbook, or create a new playbook  
    (Note: This requires repeating steps 1-4 after creation)
  8. Select “Next”.
  9. Select the “Cloud” option.
  10. Select the “Google Drive” option.
  11. Select the agent type you would like to facilitate the search of Google Drive (On-premise or cloud), in addition to the specific agents pertinent to the type.
  12. Select “Next” to proceed to the next screen.
  13. Select the Google Drive target you created during the “Creation of a Google Drive Target”, and select the “Next” button to proceed to the next screen
  14. Specify the user accounts you would like to search or upload a CSV containing such a list. 
    Note: When no User Accounts are specified for a target, all User Accounts are scanned.
  15. Continue to fill out the additional options in the screens following the account designation to tailor or adjust any of the default behavior.
    1. The default options suffice.
  16. Select the “Finish and Save” button to save and initiate the Google Drive scan, per the schedule dictated on the “Schedule” tab”: 

Note about Google Mail Trash Folder

  • Note that when Spirion Sensitive Data Platform scans Google mail folders this includes the Trash folder.
  • The Trash folder cannot be excluded.

Was this article helpful?

Powered by Product Fruits