Setup
Download
You can find pre-compiled binaries for most operating systems on GitHub.
If you have Go installed, you can also install GSM with
# go 1.17+
go install github.com/hanneshayashi/gsm
# go 1.16
GO111MODULE="on" go get github.com/hanneshayashi/gsm
This will not only fetch the source code, but also put the compiled binary in your GOPATH/bin.
Installation
GSM doesn’t have any dependencies and comes in a single binary that can be run from anywhere you like.
While you can copy it to any directory you choose, I highly recommend putting it somewhere in your PATH
like “/usr/bin/gsm”.
Configuration Modes
You can use GSM in one of three modes
- user: User mode allows you to use any Google account (even private ones) to access the APIs.
Note that you will only have access to the resources and APIs your account can access! - dwd: DWD (Domain Wide Delegation) allows you to utilize a GCP service account to impersonate user accounts in a Workspace domain.
You need to add the service account and the appropriate scopes in the Admin Console of your Workspace domain to us this mode. See https://support.google.com/a/answer/162106 for details. - adc: ADC (“Application Default Credentials”) mode works like DWD mode, but it allows you to utilize Application Default Credentials, such as the implicit credentials of a Compute Engine instance’s Service Account or the “application-default” credentials of the Google Cloud SDK (gcloud), to impersonate a Service Account. This means you don’t have to manage Service Account key files.
You can set up multiple configurations using gsm configs
General Setup
- Create a new GCP project (or use an existing one)
- Enable the APIs you want to use
GSM currently supports the following APIs:
- Admin SDK API
- Gmail API
- Gmail Postmaster Tools API
- Google Calendar API
- Contacts API
- Google Drive API
- Google Drive Labels API
- Cloud Identity
- Groups Settings API
- Enterprise License Manager API
- Google People API
- Google Sheets API
Domain Wide Delegation Mode
(Note: This is probably the mode you want to use as a Workspace admin)
- Create a new Service Account
- Enable the Service Account for Domain Wide Delegation and enter a product name for the OAuth consent screen
- Create a new key for the Service Account and download it as a json file
- Create a new config with
gsm configs new --name <name of your config> --mode
dwd--credentialsFile <
absolutepath to your credentials.json> (--scopes <scopes you want to use>*) --
subject<email address of the user you want to impersonate>
**
*If you don’t supply any scopes, all the default scopes will be used. **Some APIs require that you act as the user and not simply as an admin. You can also perform a command as a different user by supplying the--dwdSubject
flag. - Enter the configured scopes (or the default scopes) in your Admin Console
- Load the new config with
gsm configs load --name <name of your config>
ADC (Application Default Credentials) Mode
(Recommended for running on GCP infrastructure)
- Activate the IAM Service Account Credentials API in the project where the Service Account is located
- Create a new Service Account
- Enable the Service Account for Domain Wide Delegation and enter a product name for the OAuth consent screen
- Permissions
- If you want to use GSM on a GCE instance, give the Service Account of your instance the
Service Account Token Creator
role on the Service Account (if you want to use the Service Account of your GCE instance directly, you need to give it permission to impersonate itself by granting itService Account Token Creator
on itself). - If you want to use GSM on machine not in GCP, such as your local workstation, run
gcloud auth application-default login
and log in with a user account that can impersonate the Service Account you want to use for DWD.
- Create a new config with
gsm configs new --name <name of your config> --mode
adc(--scopes <scopes you want to use>\*) --
subject<email address of the user you want to impersonate>**
(--
serviceAccount<email address of the Service Account you want to impersonate>
***) *If you don’t supply any scopes, all the default scopes will be used.
**Some APIs require that you act as the user and not simply as an admin. You can also perform a command as a different user by supplying the--dwdSubject
flag.
***If you don’t supply a Service Account with the--serviceAccount
flag, GSM will attempt query the GCE instance’s metadata server and use the instance’s Service Account - Enter the configured scopes (or the default scopes) in your Admin Console
- Load the new config with
gsm configs load --name <name of your config>
User Mode
(Recommended for individual users or users without admin access to Google Workspace)
- Configure your OAuth consent screen (if you haven’t already)
- Create a new OAuth Client ID of type “Desktop”
- Download your Client ID credentials (json file) to your local computer
- Create a new config with
gsm configs new --name <name of your config> --mode
user--credentialsFile <
absolutepath to your credentials.json> (--scopes <scopes you want to use>*)
*If you don’t supply any scopes, all the default scopes will be used. - Load the new config with
gsm configs load --name <name of your config>
- The first time you run any command, a new browser window will open
- Choose the Google account you want to use
- When prompted, give GSM (or rather your Client ID) access to the requested scopes You should now be able to use GSM with your Google account according to your account’s permissions and the scopes you chose.
Scopes
If you don’t supply any scopes during the creation of your config, GSM will assume you want to use the default scopes.
The default scopes are:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.customer
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.group.member
- https://www.googleapis.com/auth/admin.directory.orgunit
- https://www.googleapis.com/auth/admin.directory.rolemanagement
- https://www.googleapis.com/auth/admin.directory.user.security
- https://www.googleapis.com/auth/admin.directory.domain
- https://www.googleapis.com/auth/admin.directory.device.mobile
- https://www.googleapis.com/auth/admin.directory.device.chromeos
- https://www.googleapis.com/auth/admin.directory.resource.calendar
- https://www.googleapis.com/auth/admin.directory.userschema
- https://www.google.com/m8/feeds/contacts/
- https://www.googleapis.com/auth/drive
- https://mail.google.com/
- https://www.googleapis.com/auth/gmail.settings.sharing
- https://www.googleapis.com/auth/gmail.settings.basic
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/cloud-identity.groups
- https://www.googleapis.com/auth/cloud-identity.userinvitations
- https://www.googleapis.com/auth/cloud-identity.inboundsso
- https://www.googleapis.com/auth/cloud-identity.devices
- https://www.googleapis.com/auth/cloud-identity.devices.lookup
- https://www.googleapis.com/auth/cloud-identity.orgunits
- https://www.googleapis.com/auth/apps.groups.settings
- https://www.googleapis.com/auth/calendar
- https://www.googleapis.com/auth/apps.licensing
- https://www.googleapis.com/auth/directory.readonly
- https://www.googleapis.com/auth/contacts.other.readonly
- https://www.googleapis.com/auth/spreadsheets
- https://www.googleapis.com/auth/admin.reports.audit.readonly
- https://www.googleapis.com/auth/admin.reports.usage.readonly
- https://www.googleapis.com/auth/postmaster.readonly
- https://www.googleapis.com/auth/admin.contact.delegation
- https://www.googleapis.com/auth/admin.chrome.printers
- https://www.googleapis.com/auth/drive.labels
- https://www.googleapis.com/auth/drive.admin.labels
Note that you do not need to use all of these scopes, but make sure that the scopes you set in your config match those that you configure in your Admin Console!
SEE ALSO
- gsm configs - Configure GSM