# Google Drive

### Overview

The Veza integration for Google Drive discovers shared drives, folders, and permissions within Google Drive file systems.

### How It Works

The integration uses a Google Cloud IAM service account to interact with the Google Drive v3 API, enabling it to list Shared Drives, Folders, and folder permissions. The service account needs to be added as a viewer to shared drives to retrieve listings and permissions. New drives the service account is a viewer on are extracted during data source discovery, which runs periodically after configuration.

Custom entity mapping:

* Server: Google Workspace
* Mount: Shared Drive
* Folder: Folder

### Drive and Folder Permissions

Google Drive has four roles that can be assigned to Shared Drives or Folders, and they are common between them. The role reference is as follows:

* Organizer
* File Organizer
* Write
* Commenter
* Viewer

Note: The owner role is not currently supported.

Sharing permissions are associated with Google Workspace Users or Groups based on the role that identity has on the drive/folder.

Additionally properties are discovered for the sharing settings on the mount and drive:

* `domain_users_only`: boolean indicating whether the drive/folder allows anyone in the domain access.
* `domain_role`: string set with the domain shared role if shared.
* `shared_anyone`: boolean indicating whether the drive/folder is shared with anyone with the link.
* `anyone_role`: string containing the shared role if shared.

#### Shared Drive Sharing Settings

Google provides multiple settings that can be configured by an Administrator on a Shared Drive that can limit the sharing options and scopes for drives. Veza represents these as properties on each Shared Drive to allow for searching. The table below explains the relationship between the Google setting description and the Veza property.

| Google Shared Drive Setting                                       | Veza Property                                   | Value when Checked |
| ----------------------------------------------------------------- | ----------------------------------------------- | ------------------ |
| "Allow managers to modify shared drive settings"                  | `Admin Managed Restrictions`                    | `false`            |
| "Allow people outside of {Organization Name} to access files"     | `Domain Users Only`                             | `false`            |
| "Allow people who aren't shared drive members to access files"    | `Drive Members Only`                            | `false`            |
| "Allow content managers to share folders"                         | `Sharing Folders Requires Organizer Permission` | `false`            |
| "Allow viewers and commenters to download, print, and copy files" | `Copy Requires Write Permission`                | `false`            |

### Setup

#### Google Setup

Google Drive connector uses a Google Workspace user to perform discovery. Permissions are granted to Veza to assume this user via an OAuth flow. Integration capabilities depend on the Workspace user's role and the shared drives they can view:

* If the Google User is a **Super Admin**, Veza can discover all Google Drives and permissions. If using a Super Admin, check the **Domain Admin Access** box when adding the integration to Veza.
* If the user is not a Super Admin, then the user must be added as a viewer to each Google Drive the integration will discover.
* To discover Folder permissions on a drive, the User must be added as a viewer to the drive, regardless of role.

To create an OAuth app, assign scopes, and retrieve the credentials:

1. Log into Google Cloud Console <https://console.cloud.google.com/>
2. Create a new project <https://developers.google.com/workspace/guides/create-project> and select that project
3. Navigate to **APIs & Services**
4. Select **Enabled APIs & Services** from the left and click **+ Enable APIs and Services** from the top to enable a new API
   1. Search for "Google Drive API", select it from the results, and select **Enable**
5. Return to **APIs & Services** and select **OAuth Consent Screen**
6. Select **Internal** for the App type and click **Create**
   1. Provide a name and the contact emails
   2. Click **Save and Continue**
   3. Click **Add or Remove Scopes**
   4. Add the `https://www.googleapis.com/auth/drive.readonly` scope
      1. The `drive.readonly` scope is required to list Shared Drives
   5. Click **Save and Continue**
7. Return to **APIs & Services** and select **Credentials**
   1. Create credentials by click **+ Create Credentials** and selecting **OAuth Client ID**
   2. Select **Web Application** for **Application Type** and enter a name
   3. Under **Authorized redirect URLs** add `https://oauth2-redirect.on.vezacloud.com`
   4. Save and download the JSON file from the creation modal

#### Configuring Google Drive on the Veza Platform

1. In Veza, open the **Integrations** page.
2. Click *Add New* and pick **Google Drive** as the type of integration to add
3. Enter the required information and *Save* the configuration

| Field               | Notes                                                                                           |
| ------------------- | ----------------------------------------------------------------------------------------------- |
| Customer ID         | Google Workspace ID                                                                             |
| Credentials         | Credentials JSON file from Google Setup procedure                                               |
| Domain Admin Access | Check to use Domain Admin privileges during discovery (user must be Super Admin)                |
| Drive Allow List    | List of Drive names to discover, if provided drives that do not match this list will be ignored |
| Drive Deny List     | List of Drives to exclude from discovery                                                        |

4. Click the *Authorize* button and complete the flow through the Google consent screens.
5. After being redirected to the **Edit Integration** page, save the integration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/google-drive.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.