Google Drive
Configuring the Veza integration for Google Drive
Early Access: Google Drive is available on-platform in Early Access. Please contact our support team to enable the integration.
Overview
The Veza integration for Google Drive discovers shared drives, folders, and permissions within Google Drive file systems.
How It Works
The integration uses a Google Cloud IAM service account to interact with the Google Drive v3 API, enabling it to list Shared Drives, Folders, and folder permissions. The service account needs to be added as a viewer to shared drives to retrieve listings and permissions. New drives the service account is a viewer on are extracted during data source discovery, which runs periodically after configuration.
Custom entity mapping:
Server: Google Workspace
Mount: Shared Drive
Folder: Folder
Drive and Folder Permissions
Google Drive has four roles that can be assigned to Shared Drives or Folders, and they are common between them. The role reference is as follows:
Organizer
File Organizer
Write
Commenter
Viewer
Note: The owner role is not currently supported.
Sharing permissions are associated with Google Workspace Users or Groups based on the role that identity has on the drive/folder.
Additionally properties are discovered for the sharing settings on the mount and drive:
domain_users_only
: boolean indicating whether the drive/folder allows anyone in the domain access.domain_role
: string set with the domain shared role if shared.shared_anyone
: boolean indicating whether the drive/folder is shared with anyone with the link.anyone_role
: string containing the shared role if shared.
Shared Drive Sharing Settings
Google provides multiple settings that can be configured by an Administrator on a Shared Drive that can limit the sharing options and scopes for drives. Veza represents these as properties on each Shared Drive to allow for searching. The table below explains the relationship between the Google setting description and the Veza property.
Google Shared Drive Setting | Veza Property | Value when Checked |
---|---|---|
"Allow managers to modify shared drive settings" |
|
|
"Allow people outside of {Organization Name} to access files" |
|
|
"Allow people who aren't shared drive members to access files" |
|
|
"Allow content managers to share folders" |
|
|
"Allow viewers and commenters to download, print, and copy files" |
|
|
Setup
Google Setup
Google Drive connector uses a Google Workspace user to perform discovery. Permissions are granted to Veza to assume this user via an OAuth flow. Integration capabilities depend on the Workspace user's role and the shared drives they can view:
If the Google User is a Super Admin, Veza can discover all Google Drives and permissions. If using a Super Admin, check the Domain Admin Access box when adding the integration to Veza.
If the user is not a Super Admin, then the user must be added as a viewer to each Google Drive the integration will discover.
To discover Folder permissions on a drive, the User must be added as a viewer to the drive, regardless of role.
To create an OAuth app, assign scopes, and retrieve the credentials:
Log into Google Cloud Console https://console.cloud.google.com/
Create a new project https://developers.google.com/workspace/guides/create-project and select that project
Navigate to APIs & Services
Select Enabled APIs & Services from the left and click + Enable APIs and Services from the top to enable a new API
Search for "Google Drive API", select it from the results, and select Enable
Return to APIs & Services and select OAuth Consent Screen
Select Internal for the App type and click Create
Provide a name and the contact emails
Click Save and Continue
Click Add or Remove Scopes
Add the
https://www.googleapis.com/auth/drive.readonly
scopeThe
drive.readonly
scope is required to list Shared Drives
Click Save and Continue
Return to APIs & Services and select Credentials
Create credentials by click + Create Credentials and selecting OAuth Client ID
Select Desktop App for Application Type and enter a name
Download the JSON file from the creation modal
Use the provided OAuth login tool to initiate an OAuth flow
Run the tool with the credentials JSON downloaded above
Follow the link printed by the tool and authorize using the Google User
Copy the code from the redirected URL and paste it to the tool
Copy the refresh token provided
OAuth Login Tool: Use the links below to download the appropriate file for your platform (Intel or ARM Mac, or Windows).
Open your terminal and browse to the folder containing the tool and the JSON credentials file.
Make the tool executable, e.g.:
chmod 744 google-oauth-mac-arm64
.Run it with the JSON credentials file from the previous steps: e.g.
./google-oauth-mac-arm64 credentials.json
.Follow the on-screen instructions. The tool will generate a URL, open that URL in a browser, and login as the Google User to approve the connection. 5, The browser will redirect to a
localhost
URL which will return an error. Copy and paste the URL from the browser back to the tool running in the terminal. 6, The tool will return a refresh token string required for finishing the integration setup in Veza.
Configuring Google Drive on the Veza Platform
In Veza, open the Integrations page.
Click Add New and pick Google Drive as the type of integration to add
Enter the required information and Save the configuration
Field | Notes |
---|---|
Customer ID | Google Workspace ID |
Credentials | Credentials JSON file from Google Setup procedure |
Refresh Token | Refresh token output from OAuth setup tool |
Domain Admin Access | Check to use Domain Admin privileges during discovery (user must be Super Admin) |
Drive Allow List | List of Drive names to discover, if provided drives that do not match this list will be ignored |
Drive Deny List | List of Drives to exclude from discovery |
Last updated