---
title: Google Workspace
---
<!-- licenses: community, platform -->

runZero integrates with ((Google Workspace)) to allow you to sync and enrich your asset inventory, as well as gain visibility into users and groups. Adding your Google Workspace data to runZero makes it easier to find unmanaged assets on your network. The Google Workspace integration supports ChromeOS, Mobile, and Endpoint [registered asset types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).

## Requirements {#googleworkspace-requirements}

* Verify or create a new [Google service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating) in whichever project is most suitable.
* [Create and download a key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating) for the Google service account. Save this JSON file.
* Verify that you have the `Admin SDK` and `Cloud Identity` APIs enabled for the project. Use the search box in the [API Library](https://console.cloud.google.com/apis/library) to find each API and then enable it.
* Enable domain-wide delegation in the [Google Workspace console](https://admin.google.com/ac/owl/domainwidedelegation)
  * Add a new API client using the unique numeric ID of service account as the Client ID
  * Enable the following OAuth scopes for this API client: 
    ```
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.group.readonly,
    https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
    https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
    https://www.googleapis.com/auth/cloud-identity.devices.readonly
    ```
   * Optionally, enter each OAuth scope individually:
    * `https://www.googleapis.com/auth/admin.directory.user.readonly`
    * `https://www.googleapis.com/auth/admin.directory.group.readonly`
    * `https://www.googleapis.com/auth/admin.directory.device.mobile.readonly`
    * `https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly`
    * `https://www.googleapis.com/auth/cloud-identity.devices.readonly`

## How to set up the Google Workspace integration

These are the high-level steps to set up the Google Cloud Platform integration:

* [Create a Google Workspace credential](#step-1-create-a-google-workspace-credential) in runZero.
* Choose whether to configure the integration as [a scan probe or connector task](#step-2-choose-how-to-configure-the-google-workspace-integration). 
* [Activate the connection](#step-3-activate-the-google-workspace-integration) for Google Workspace.
* [View your results](#step-4-view-google-workspace-assets).

## Step 1: Create a Google Workspace credential

1. Go to the [Credentials page](https://console.runzero.com/credentials) and click **Add Credential**.
2. From the **Credentials type** dropdown, choose **Google Workspace Client Secret**.
3. Provide a name for the credential, like `Google Workspace`.
4. In the _Admin account email_ field, provide the email address of an administrator account with access to the assets, users, or groups you wish to import.
5. If you want to import from an organization other than the one your administrator account belongs to, provide a _Customer ID_. By default, runZero will use the Customer ID associated with the service account. (Optional) 
6. Click **Choose file** to upload the service account key file you downloaded from Google Workspace.
7. If you want other organizations to be able to use this credential, select the **Make this a global credential** option. Otherwise, you can configure access on a per-organization basis.
8. Save the credential. You're now ready to set up and activate the connection to bring in data from Google Workspace.

## Step 2: Choose how to configure the Google Workspace integration
The Google Workspace integration can be configured as either a [scan probe or a connector task](integrations-inbound.md#integration-probe-connector). Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync. Configuring the integration as a scan probe is useful if you are running self-hosted runZero Platform and your console cannot access Google Workspace. For most situations it will be easier to set up a scheduled connection to sync your data from Google Workspace.

## Step 3: Activate the Google Workspace integration
After you add your GCP credential, you'll need to set up a connector task or scan probe to sync your data.

### Step 3a: Configure the Google Workspace integration as a connector task
A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where the data is organized.

1. [Activate a connection to Google Workspace](https://console.runzero.com/ingest/googleworkspace/). You can access all available third-party connections from the [integrations page](https://console.runzero.com/integrations), your [inventory](https://console.runzero.com/inventory), or the [tasks page](https://console.runzero.com/tasks). 
2. Choose the credential you added earlier. If you don't see the credential listed, make sure the credential has access to the organization you are currently in.
3. Enter a name for the task, like `Google Workspace sync`.
4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
5. To organize your assets logically, choose the site you'd like to use to add your assets to. You can choose an existing site or add them to a new site when the sync occurs. Assigning your assets to a site helps organize and group your assets.
6. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the **Exclude unknown assets** toggle to _Yes_. By default, the integration will include assets that have not been scanned by runZero.
7. Activate the connection when you are done. The sync will run on the defined schedule. You can check the [Scheduled tasks](https://console.runzero.com/tasks) to see when the next sync will occur.

### Step 3b: Configure the Google Workspace integration as a scan probe
1. Create a new scan task or select a future or recurring scan task from your [Tasks page](https://console.runzero.com/tasks).
2. Add or update the scan parameters based on any additional requirements.
3. On the Probes and SNMP tab, choose which additional probes to include, set the GoogleWorkspace toggle to _Yes_, and change any of the default options if needed.
4. On the Credentials tab, set the GoogleWorkspace toggle for the credential you wish to use to _Yes_.
5. Click **Initialize scan** to save the scan task and have it run immediately or at the scheduled time.

## Step 4: View Google Workspace assets
After a successful sync, you can [go to your inventory](https://console.runzero.com/inventory) to view your Google Workspace assets. These assets will have a Google Workspace icon listed in the **Source** column.

To filter by Google Workspace assets, consider running the following queries:

* [View all Google Workspace assets](https://console.runzero.com/inventory?search=source%3Agoogleworkspace): 
     ```
     source:googleworkspace
    ```
* [View runZero assets not connected to Google Workspace](https://console.runzero.com/inventory?search=source%3Arunzero%20and%20not%20source%3Agoogleworkspace): 
     ```
     source:runzero AND NOT source:googleworkspace
    ```

Click into each asset to see its individual attributes. runZero will show you the attributes returned by Google Workspace.

<!-- licenses: community, platform -->

<div class="alert alert-info">
<svg class="alert-icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg>
<div class="alert-body">
The Google Workspace integration provides details about users and groups in addition to enriching asset inventory data. Go to <a href="https://console.runzero.com/inventory/users">Inventory > Users</a> or <a href="https://console.runzero.com/inventory/groups">Inventory > Groups</a> to view the data provided by Google Workspace. Use the query <code>source:googleworkspace</code> to filter your results.
</div>
</div>

## Troubleshooting {#google-workspace-troubleshooting}
If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.

### Why is the Google Workspace integration unable to connect?
1. Are you getting any data from the Google Workspace integration?
    * Make sure to query the inventory rather than look at the task details to review all the data available from this integration.
    * In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console.
2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the integration, it may not work correctly. Please review this documentation and follow the steps exactly.
3. If the Google Workspace integration is unable to connect be sure to check the task log for errors. Some common errors include:
    * 500 - server error, unable to connect to the endpoint
    * 404 - hitting an unknown endpoint on the server
    * 403 - not authorized, likely a credential issue