This section walks through setting up the Google Drive connector using a Service Account. More info on Service Accounts can be found here. A Google Workspace is required. If you’d rather use an individuals account + OAuth to access Google Drive, checkout the section here.

Authorization

  1. Create a Google Cloud Project
  2. Enable the Google Drive API, the Admin SDK API, the Google Docs API, and the Google Sheets API
    • On the left panel, open APIs & services
    • Go to Enabled APIs and services
    • On the top click +ENABLE APIS AND SERVICES
    • Search for Google Drive API and click ENABLE
    • Alternatively visit this link, select your project and enable the Google Drive API
  3. Enable the Admin SDK API
    • Click on +ENABLE APIS AND SERVICES again.
    • Search for Admin SDK API and click ENABLE
    • Alternatively visit this link, select your project and enable the Admin SDK API
  4. Enable the Google Sheets API
    • Click on +ENABLE APIS AND SERVICES again.
    • Search for Google Sheets API and click ENABLE
    • Alternatively visit this link, select your project and enable the Google Sheets API
  5. Enable the Google Docs API
    • Click on +ENABLE APIS AND SERVICES again.
    • Search for Google Docs API and click ENABLE
    • Alternatively visit this link, select your project and enable the Google Docs API
GoogleDriveEnableAPI
  1. Create a Service Account
    • Go to the Service Account management page in Google Cloud.
    • Click Create Service Account button and fill out the fields in step 1. You can ignore steps 2 and 3.
    • Go to the Keys section, and click Add Key. Download this key, you will need to upload to to Onyx later.
    Note for Google Organizations created after April 2024:
    • to give the service account the proper permissions you will have to navigate to this link
    • Then select Manage, select Override parent's policy and then select Not enforced under Rules.
    • Finally, select SET POLICY
  1. Give this Service Account read-only access to Google Drive
    • Copy the Unique ID of the Service Account
    • Go to the Domain-wide Delegation page in the Google Admin Console.
    • Click Add new, fill in the client ID with the Unique ID of the Service account
    • Copy this comma separated list of scopes and pasted it into field OAuth scopes: https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly

Indexing

First, navigate to the Admin Dashboard and select the Google Drive connector. Then, create a new credential, then upload the key you downloaded in step 6. For the Primary Admin Email, use the email of a user that:
  • Has access to Drive and Docs in Google Workspace
  • Has the following admin permissions:
    • Admin console privileges -> Services -> Drive and Docs -> Settings
    • Admin API privileges -> Users -> Read
    • Admin API privileges -> Groups -> Read
    • Admin API privileges -> Organization Units -> Read
This can either be an existing admin, or a brand new account created specifically for Onyx (e.g. onyx-robot@your-domain.com). Note that this should NOT be the service account email. This can be configured by an admin in the admin panel of the Google Workspace under Account > Admin roles. GoogleDriveAdminConsole Click Create Credential, and then close the dialog. From there, click the Continue button and configure the connector!