How to connect Google Workspace accounts to MailReach using Domain-Wide Delegation
This connection method lets you connect multiple Gmail accounts from your Workspace at once, if necessary. A great time-saver.
Sign in to Google Cloud Platform.
Make sure you're logged in with an Admin account of the Google Workspace you want to connect to MailReach. If this is the first time you've used the Google Cloud Platform, you will need to agree to the terms of service popup.
On the dashboard, click the CREATE PROJECT button on the right 👇
In the 'Project Name' field, choose a random name (you can use the suggested one), then click Create. It can take some time to load your project.
Click on Enable APIs and Services
In the Enable APIs and services field, enter Gmail API. It should display as you type. Click on it.
Select Gmail API
Click Enable
On the left menu, click on Credentials
Click on Create credentials and then Service account
In the three fields of Service account details, put any random name, it doesn't matter. Then click on Create and continue
For "Grant this service account access to the project", leave that empty and click on Continue
Same for "Grant users access to this service account", leave that empty and lick on Done
In the bottom under "Service Accounts", on the right, click on the Pen to Edit
Copy the Unique ID (you'll paste it later in the process)
In the top menu, click on Keys
Click on Add Key > Create New Key > JSON > Create. It will download a file on your computer.
Now, in a new tab open the Google Workspace Admin. Make sure you connect to the Google workspace that contains the email account(s) you wish to connect to MailReach.
On the left menu and click on Security > Access and data control > API controls
At the bottom, click on Manage Domain-Wide Delegation
To the right of "API Clients", click on Add new
In the Client ID field, paste your Client ID (the one that you copied at Step 15)
In OAuth Scopes (comma-delimited), copy and paste the following
https://mail.google.com/,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/gmail.imap_admin
Click on Authorize
Go back on MailReach and upload the JSON file that you've downloaded earlier
Click on Next and follow the on-screen steps.
This is the most common error, below are two different solutions to solve that issue. Start with the Fix 1.
Go to https://console.cloud.google.com/cloud-resource-manager
Make sure you're signed in with to the right Google Account by clicking on your avatar in the top right
Under Resources, you should see your domain, click on it. A panel on the right with Permissions should appear.
Click on Add Principal, then in New principals, add your email address (the one you are connected to)
Under Assign Roles, add yourself the role Organization Policy Administrator and Save
Then go to https://console.cloud.google.com/iam-admin/orgpolicies/ and make sure you're signed in with the right Google Account again.
Go to the bottom > Rows per page > Select 200
Look for the policy named Disable service account key creation (it's "account key creation", not just "account creation"), then click on it to view it.
Here, the status should be: Not enforced.
Go to https://console.cloud.google.com/iam-admin/iam and make sure you're signed in with the right Google Account (and not your personal Gmail for instance).
Find your email on the list and click on the pen icon on the far right to edit.
You need the 'Organization Policy Administrator' role assigned. You can click on Add another role if you already have one and look for 'Organization Policy Administrator'. Once it's added, click on Save. If you can't find this role precisely, that means you don't have the rights to give yourself this role. You can ask an admin to give yourself the role. If you can't ask an admin, switch to the Fix 2 below.
Then go to https://console.cloud.google.com/iam-admin/orgpolicies/ and make sure you're signed in with the right Google Account.
Go to the bottom > Rows per page > Select 200
Look for the policy named Disable service account key creation (it's "account key creation", not just "account creation"), then click on it to view it.
Here, the status should be: Not enforced.
Once it's done, please start the process again and it should work.
A solution that works is to start again from the step 1. and sign in to Google Cloud Platform but with a personal Gmail account (a @gmail.com inbox and not with your corporate mailbox) and then follow all the steps until the end of the process.
If none of these two solutions worked for you, please leave us a message on the chat and we'll do our best to help you.
The Step-By-Step Guide - (Takes 4 min, required only once per Workspace)
Sign in to Google Cloud Platform.
Make sure you're logged in with an Admin account of the Google Workspace you want to connect to MailReach. If this is the first time you've used the Google Cloud Platform, you will need to agree to the terms of service popup.
On the dashboard, click the CREATE PROJECT button on the right 👇
In the 'Project Name' field, choose a random name (you can use the suggested one), then click Create. It can take some time to load your project.
Click on Enable APIs and Services
In the Enable APIs and services field, enter Gmail API. It should display as you type. Click on it.
Select Gmail API
Click Enable
On the left menu, click on Credentials
Click on Create credentials and then Service account
In the three fields of Service account details, put any random name, it doesn't matter. Then click on Create and continue
For "Grant this service account access to the project", leave that empty and click on Continue
Same for "Grant users access to this service account", leave that empty and lick on Done
In the bottom under "Service Accounts", on the right, click on the Pen to Edit
Copy the Unique ID (you'll paste it later in the process)
In the top menu, click on Keys
Click on Add Key > Create New Key > JSON > Create. It will download a file on your computer.
Now, in a new tab open the Google Workspace Admin. Make sure you connect to the Google workspace that contains the email account(s) you wish to connect to MailReach.
On the left menu and click on Security > Access and data control > API controls
At the bottom, click on Manage Domain-Wide Delegation
To the right of "API Clients", click on Add new
In the Client ID field, paste your Client ID (the one that you copied at Step 15)
In OAuth Scopes (comma-delimited), copy and paste the following
https://mail.google.com/,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/gmail.imap_admin
Click on Authorize
Go back on MailReach and upload the JSON file that you've downloaded earlier
Click on Next and follow the on-screen steps.
Troubleshooting
"Service account key creation is disabled" error
This is the most common error, below are two different solutions to solve that issue. Start with the Fix 1.
Fix 1
Go to https://console.cloud.google.com/cloud-resource-manager
Make sure you're signed in with to the right Google Account by clicking on your avatar in the top right
Under Resources, you should see your domain, click on it. A panel on the right with Permissions should appear.
Click on Add Principal, then in New principals, add your email address (the one you are connected to)
Under Assign Roles, add yourself the role Organization Policy Administrator and Save
Then go to https://console.cloud.google.com/iam-admin/orgpolicies/ and make sure you're signed in with the right Google Account again.
Go to the bottom > Rows per page > Select 200
Look for the policy named Disable service account key creation (it's "account key creation", not just "account creation"), then click on it to view it.
Here, the status should be: Not enforced.
Fix 2
Go to https://console.cloud.google.com/iam-admin/iam and make sure you're signed in with the right Google Account (and not your personal Gmail for instance).
Find your email on the list and click on the pen icon on the far right to edit.
You need the 'Organization Policy Administrator' role assigned. You can click on Add another role if you already have one and look for 'Organization Policy Administrator'. Once it's added, click on Save. If you can't find this role precisely, that means you don't have the rights to give yourself this role. You can ask an admin to give yourself the role. If you can't ask an admin, switch to the Fix 2 below.
Then go to https://console.cloud.google.com/iam-admin/orgpolicies/ and make sure you're signed in with the right Google Account.
Go to the bottom > Rows per page > Select 200
Look for the policy named Disable service account key creation (it's "account key creation", not just "account creation"), then click on it to view it.
Here, the status should be: Not enforced.
Once it's done, please start the process again and it should work.
Fix 3
A solution that works is to start again from the step 1. and sign in to Google Cloud Platform but with a personal Gmail account (a @gmail.com inbox and not with your corporate mailbox) and then follow all the steps until the end of the process.
If none of these two solutions worked for you, please leave us a message on the chat and we'll do our best to help you.
Updated on: 05/07/2024
Thank you!