Enable Google Drive Integration for Policy Documents

Follow the below steps to integrate your Google Workspace documents with Trustero

Service Account Impersonation

Trustero’s Google Drive integration authenticates using service account impersonation. Trustero will only have access to resources shared with the service account. For additional information regarding service account impersonation, please consult Google's support pages: Service Account Impersonation

Create a Service Account

1. In the Google Cloud Console, go to: Main menu -> IAM & Admin -> Service Accounts.
2. Select or create a Google Cloud project.
3. Click Create Service Account.
4. Enter a name for your service account and, if you’d like, a description. 
   Click Done.

Enable the Google Drive API

1. Select the Google Cloud project that contains the service account you just created.
2. In the left hand menu, select APIs and Services > Enabled APIs and Services.
3. At the top of the page, select Enable APIs and Services.
4. Type Google Drive in the search bar and select the Google Drive API (it should be the first result).
5. Click on the button that says Enable.

Domain Restricted Sharing

1. If you have a domain restriction constraint that limits which domains are allowed to be used in IAM policies, you may need to temporarily lift the constraint in order to grant Trustero access to your new service account.
2. Go to Main menu -> IAM & Admin -> Organization Policies.
3. Search for Domain restricted sharing.
4. If the policy exists within your project, remove it or update it to allow all domains while you complete the steps below.
5. Once you’ve completed the steps below, you can implement the policy again or revert it to its previous state.

Grant Trustero Permission

1. Select your newly created service account.
2. Click on the Permissions tab.
3. Click Grant Access.
4. Under Add principals, enter the email address of Trustero’s service account: 

   trustero-gdrive@trustero-gdrive.iam.gserviceaccount.com

5. Under Assign roles, enter the following role:

   roles/iam.serviceAccountTokenCreator

6. Click Save.
7. If you temporarily removed domain restricted sharing, you can implement the policy again.

Share Resources with Service Account

After creating a service account and granting Trustero permission to impersonate it, you can simply give it access to the appropriate resources in Google Drive. Only give your service account access to resources you would like Trustero to be able to access.

Folders and Files

1. In Google Drive, select a folder or file you would like the Trustero application to be able to access.
2. Click Share.
3. Enter your new service account’s email address and assign it a role of Editor.
4. Folders and files shared with your service account will appear in the Google File Picker window under the Google Drive tab when using the Trustero platform.

Shared Drives

1. In Google Drive, on the left-hand side, click on Shared Drives, and select a drive you would like the Trustero application to be able to access.
2. At the top right of the Shared Drive window, click on the Manage members icon (usually represented by a person with a plus sign).
3. In the Add people and groups field, enter your new service account’s email address and assign it a role of Contributor.
4. Shared drives will appear in the Google File Picker window under the Shared drives tab when using the Trustero platform.

Activate Google Drive Integration

Once you’ve created a service account, granted Trustero permission to impersonate the service account, and shared the appropriate resources with the service account, you are ready to activate the integration within the Trustero platform.

Connect Google Drive

1. In the Trustero platform, go to Settings -> Account.
2. Click on the activate icon on the Google Drive row item.
3. Enter the email address of your service account in the Service Account Email field and click Connect.