Skip to content

Google Workspace GDrive Onboarding

GCP integration is required prior to GDrive onboarding. If onboarding is not completed yet, use this guide. Else, skip to the next step.

Follow the steps below to integrate Google Workspace (GDrive) with SailPoint Entro for secure, read-only scanning of files and shared drives.


Management → Accounts & Integrations → Add New Account (top right) → Google Workspace (GDrive)

  1. Onboard via GCP Service Account

    To integrate Google Workspace with SailPoint Entro, use a GCP Service Account. You can either reuse an existing account from your GCP Integration or create a new one dedicated to GDrive.

    SailPoint Entro supports two authorization methods:

    • Service Account Key

    • Workload Identity Federation

    If using Workload Identity Federation: The service account must have the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) assigned to itself. This allows server-side JWT signing required for Google Workspace access.

    To configure: GCP Console → IAM & Admin → IAM → find your service account → Edit → Add Role → "Service Account Token Creator" → Save.

  2. Enable Google Drive API

    • Log in to your Google Cloud Console.

    • Navigate to APIs & Services → Library → Google Drive API.

    • Select your project (same one used for the Service Account).

    • Click Enable if not already enabled.

    • Optionally, enable the Admin SDK API for organization-wide scanning.

  3. Grant Access to Google Drive Files

    You can either grant access to specific drives (Option 1) or allow domain-wide scanning (Option 2).

    1. Option 1 - Share Specific Drives

      • Open Google Drive.

      • Right-click the target drive, folder, or file and choose Manage members.

      • Enter your Service Account email and assign one of the following roles:

        • Viewer: Scans the most recent version of each file.

        • Contributor: Allows review of version history.

      • Shared drives from external organizations can also be scanned if permission is granted.

    2. Option 2 - Allow Access to All Files (Domain-Wide Delegation)

      1. Retrieve your Service Account Client ID from the GCP Console.

      2. In your Google Workspace Admin Console, navigate to: Security → Access and data control → API controls → Domain-wide delegation

      3. Click Add new and insert:

        • The Client ID from step 1

        • The following OAuth scopes:

        https://www.googleapis.com/auth/admin.directory.group.readonly
        https://www.googleapis.com/auth/admin.directory.group.member.readonly
        https://www.googleapis.com/auth/drive.readonly
        https://www.googleapis.com/auth/cloud-platform
        https://www.googleapis.com/auth/admin.directory.user.readonly
        https://www.googleapis.com/auth/admin.directory.customer.readonly
        
      4. Click Authorize to complete domain-wide delegation.

  4. Complete SailPoint Entro Onboarding

    In the SailPoint Entro Dashboard:

    • Navigate to Management → Accounts & Integrations → Google Workspace (GDrive)

    • Fill in the onboarding form:

      • GCP Project: Select your Service Account project

      • Google Workspace Domain: Enter your organization domain

      • Admin Email: Provide an admin user email for impersonation

    • Click Create Account to finalize onboarding.


Security & Compliance

  • Read-only data retrieval (no modification of file content)

  • TLS 1.2+ encryption

  • AES-256 at rest

  • SOC 2 Type II, ISO 27001, GDPR-compliant