> ## Documentation Index
> Fetch the complete documentation index at: https://docs.onyx.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Gmail Service Account

> Set up Gmail Service Account for the connector

This section walks through setting up the Gmail connector using a Service Account.
More info on Service Accounts can be found [here](https://cloud.google.com/iam/docs/service-account-overview).
A Google Workspace is required.

If you'd rather use an individuals account + OAuth to access Gmail, checkout the section [here](./oauth).

### Authorization

<Steps>
  <Step title="Create Google Cloud Project">
    * [https://console.cloud.google.com/projectcreate](https://console.cloud.google.com/projectcreate)
  </Step>

  <Step title="Enable Gmail API and Admin SDK">
    * On the left panel, open **APIs & services**
    * Go to **Enabled APIs and services**
    * On the top click **+ENABLE APIS AND SERVICES**
    * Search for **Gmail API** and click **ENABLE**
    * Alternatively visit this [link](https://console.cloud.google.com/flows/enableapi?apiid=gmail.googleapis.com), select your project and enable the **Gmail API**
    * Also enable **Admin SDK API** (search and enable)

    <img className="rounded-image" src="https://mintcdn.com/danswer/24Ocig51qMqahMaT/assets/admins/connectors/google_drive/GoogleDriveEnableAPI.png?fit=max&auto=format&n=24Ocig51qMqahMaT&q=85&s=401115876b9e570bef36bb01e9fa84a8" alt="Google Cloud Console enabling Gmail and Admin SDK APIs" width="808" height="497" data-path="assets/admins/connectors/google_drive/GoogleDriveEnableAPI.png" />
  </Step>

  <Step title="Create Service Account">
    * Go to the [Service Account management page](https://console.cloud.google.com/iam-admin/serviceaccounts) in Google Cloud.
    * Click `Create Service Account` button and fill out the fields in step 1. You can ignore steps 2 and 3.
    * Go to the `Keys` section, and click `Add Key`. Download this key, you will need to upload it to Onyx later.

    Note for Google Organizations created after April 2024:

    * To give the service account the proper permissions you will have to navigate to this [link](https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation)
    * Then select `Manage`, select `Override parent's policy` and then select `Not enforced` under `Rules`.
    * Finally, select `SET POLICY`

    <iframe
      width="840"
      height="473"
      src="https://www.youtube.com/embed/Z5R9HUCVVAE?si=GZxteF6rmIHa1BOE"
      title="YouTube video
player"
      frameBorder="0"
      allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope;
picture-in-picture; web-share; fullscreen;"
      allowfullscreen
    />
  </Step>

  <Step title="Grant domain-wide delegation">
    Give this **Service Account** read-only access to Gmail

    * Copy the `Unique ID` of the Service Account
    * Go to the [Domain-wide Delegation page](https://admin.google.com/ac/owl/domainwidedelegation) in the Google Admin Console.
    * Click `Add new`, fill in the client ID with the `Unique ID` of the Service account
    * Copy this comma separated list of scopes and paste it into field `OAuth scopes`:
      `https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly`
  </Step>
</Steps>