GoSpace Manager

Version v0.11.0

Manage Google Workspace resources using a developer-friendly CLI written in Go

Setup

Download

You can find pre-compiled binaries for most operating systems on GitHub.

If you have Go installed, you can also install GSM with

# go 1.17+
go install github.com/hanneshayashi/gsm

# go 1.16
GO111MODULE="on" go get github.com/hanneshayashi/gsm

This will not only fetch the source code, but also put the compiled binary in your GOPATH/bin.

Installation

GSM doesn’t have any dependencies and comes in a single binary that can be run from anywhere you like.
While you can copy it to any directory you choose, I highly recommend putting it somewhere in your PATH
like “/usr/bin/gsm”.

Configuration Modes

You can use GSM in one of three modes

  • user: User mode allows you to use any Google account (even private ones) to access the APIs.
    Note that you will only have access to the resources and APIs your account can access!
  • dwd: DWD (Domain Wide Delegation) allows you to utilize a GCP service account to impersonate user accounts in a Workspace domain.
    You need to add the service account and the appropriate scopes in the Admin Console of your Workspace domain to us this mode. See https://support.google.com/a/answer/162106 for details.
  • adc: ADC (“Application Default Credentials”) mode works like DWD mode, but it allows you to utilize Application Default Credentials, such as the implicit credentials of a Compute Engine instance’s Service Account or the “application-default” credentials of the Google Cloud SDK (gcloud), to impersonate a Service Account. This means you don’t have to manage Service Account key files.

You can set up multiple configurations using gsm configs

General Setup

  1. Create a new GCP project (or use an existing one)
  2. Enable the APIs you want to use

GSM currently supports the following APIs:

Domain Wide Delegation Mode

(Note: This is probably the mode you want to use as a Workspace admin)

  1. Create a new Service Account
  2. Enable the Service Account for Domain Wide Delegation and enter a product name for the OAuth consent screen
  3. Create a new key for the Service Account and download it as a json file
  4. Create a new config with
    gsm configs new --name <name of your config> --mode dwd --credentialsFile <absolute path to your credentials.json> (--scopes <scopes you want to use>*) --subject <email address of the user you want to impersonate>**
    *If you don’t supply any scopes, all the default scopes will be used. **Some APIs require that you act as the user and not simply as an admin. You can also perform a command as a different user by supplying the --dwdSubject flag.
  5. Enter the configured scopes (or the default scopes) in your Admin Console
  6. Load the new config with gsm configs load --name <name of your config>

ADC (Application Default Credentials) Mode

(Recommended for running on GCP infrastructure)

  1. Activate the IAM Service Account Credentials API in the project where the Service Account is located
  2. Create a new Service Account
  3. Enable the Service Account for Domain Wide Delegation and enter a product name for the OAuth consent screen
  4. Permissions
  • If you want to use GSM on a GCE instance, give the Service Account of your instance the Service Account Token Creator role on the Service Account (if you want to use the Service Account of your GCE instance directly, you need to give it permission to impersonate itself by granting it Service Account Token Creator on itself).
  • If you want to use GSM on machine not in GCP, such as your local workstation, run gcloud auth application-default login and log in with a user account that can impersonate the Service Account you want to use for DWD.
  1. Create a new config with
    gsm configs new --name <name of your config> --mode adc (--scopes <scopes you want to use>\*) --subject <email address of the user you want to impersonate>** (--serviceAccount <email address of the Service Account you want to impersonate>***) *If you don’t supply any scopes, all the default scopes will be used.
    **Some APIs require that you act as the user and not simply as an admin. You can also perform a command as a different user by supplying the --dwdSubject flag.
    ***If you don’t supply a Service Account with the --serviceAccount flag, GSM will attempt query the GCE instance’s metadata server and use the instance’s Service Account
  2. Enter the configured scopes (or the default scopes) in your Admin Console
  3. Load the new config with gsm configs load --name <name of your config>

User Mode

(Recommended for individual users or users without admin access to Google Workspace)

  1. Configure your OAuth consent screen (if you haven’t already)
  2. Create a new OAuth Client ID of type “Desktop”
  3. Download your Client ID credentials (json file) to your local computer
  4. Create a new config with
    gsm configs new --name <name of your config> --mode user --credentialsFile <absolute path to your credentials.json> (--scopes <scopes you want to use>*)
    *If you don’t supply any scopes, all the default scopes will be used.
  5. Load the new config with gsm configs load --name <name of your config>
  6. The first time you run any command, a new browser window will open
  7. Choose the Google account you want to use
  8. When prompted, give GSM (or rather your Client ID) access to the requested scopes You should now be able to use GSM with your Google account according to your account’s permissions and the scopes you chose.

Scopes

If you don’t supply any scopes during the creation of your config, GSM will assume you want to use the default scopes.
The default scopes are:

Note that you do not need to use all of these scopes, but make sure that the scopes you set in your config match those that you configure in your Admin Console!

SEE ALSO