GSuite Configuration

This module allows authentication from a service account or via OAuth tokens.

Method 1: Using service account (legacy)

Ingesting GSuite Users and Groups utilizes the Google Admin SDK.

  1. Enable Google API access

  2. Create a new G Suite user account and accept the Terms of Service. This account will be used as the domain-wide delegated access.

  3. Perform G Suite Domain-Wide Delegation of Authority

  4. Download the service account’s credentials

  5. Export the environmental variables:

    1. GSUITE_GOOGLE_APPLICATION_CREDENTIALS - location of the credentials file.

    2. GSUITE_DELEGATED_ADMIN - email address that you created in step 2

Method 2: Using OAuth

  1. Create an App on Google Cloud Console

  2. Refer to follow documentation if needed:




  3. Download credentials file

  4. Use helper script below for OAuth flow to obtain refresh_token

  5. Serialize needed secret .. code-block:: python

    import json import base64 auth_json = json.dumps({“client_id”:””,”client_secret”:”ChangeMe”, “refresh_token”:”ChangeMe”, “token_uri”: “”}) base64.b64encode(auth_json.encode())

  6. Populate an environment variable of your choice with the contents of the base64 output from the previous step.

  7. Call the cartography CLI with --gsuite-tokens-env-var YOUR_ENV_VAR_HERE and --gsuite-auth-method oauth.

Google Oauth Helper :

from __future__ import print_function
import json
import os

from google_auth_oauthlib.flow import InstalledAppFlow
from googleapiclient.discovery import build

scopes = ["", "", ""]

print('Go to > API & Services > Credentials and download secrets')
project_id = input('Provide your project ID:')
client_id = input('Provide your client ID:')
client_secret = input('Provide your client secret:')
with open('credentials.json', 'w', encoding='utf-8') as fc:
    data = {
        "installed": {
            "client_id": client_id,
            "project_id": project_id,
    json.dump(data, fc)
flow = InstalledAppFlow.from_client_secrets_file(
    'credentials.json', scopes)
flow.redirect_uri = 'http://localhost'
auth_url, _ = flow.authorization_url(prompt='consent')
print(f'Please go to this URL: {auth_url}')
code = input('Enter the authorization code: ')
creds = flow.credentials
print('Testing your credentials by gettings first 10 users in the domain ...')
service = build('admin', 'directory_v1', credentials=creds)
print('Getting the first 10 users in the domain')
results = service.users().list(customer='my_customer', maxResults=10,
users = results.get('users', [])
if not users:
    print('No users in the domain.')
    for user in users:
        print(u'{0} ({1})'.format(user['primaryEmail'],
print('Your credentials:')
print(json.dumps(creds.to_json(), indent=2))