Symptoms

While setting up Google Workspace according to product documentation, you are getting the following error: 

ExternalRequestFailedError

Cause

Instructions in guide do not match current Google Cloud user interface.

Product documentation will be fixed in upcoming update C22.02.

Solution

When setting up Google Workspace, follow the steps 1, 2 and 3a in Creating a personal Google Cloud project.

For steps 3b and 4, follow the instructions below.

To create and configure the service account for the Cyber Protection service:

1. From the navigation menu in the Google Cloud Platform, select IAM & Admin > Service accounts.

2. Click Create service account.

3. Specify a name for the service account.

4. Specify a description for the service account.

5. Click Create and continue.

6. Do not change anything in the Grant this service account access to the project and Grant users access to this service account steps.

7. Click Done. The Service accounts page opens.

8. On the Service accounts page, select the new service account, and then under Actions, click Manage Keys.

10. Under Keys, click Add key > Create new key, and then select the JSON key type.

11. Click Create.

As a result, a JSON file with the private key of the service account is automatically downloaded to your machine. Store this file securely because you need it to add your Google Workspace organization to the Cyber Protection service.

To grant the new project access to your Google Workspace account:

1. From the navigation menu in the Google Cloud Platform, select IAM & Admin > Service accounts.
2. Find the created service account in the list and copy the client ID of your service account client from OAuth 2.0 Client ID column.
3. Sign in to the Google Admin console (admin.google.com) as a Super Administrator.
4. From the navigation menu, select Security > Access and data control > API controls.
5. Scroll down the API controls page, and then under Domain-wide delegation, click Manage domain-wide delegation. The Domain-wide delegation page opens.
6. On the Domain-wide delegation page, click Add new. The Add a new client ID window opens.
7. In the Client ID field, enter the client ID of your service account client.
8. In the OAuth scopes field, add the following scopes, one by one:
   • https://mail.google.com
   • https://www.googleapis.com/auth/contacts
   • https://www.googleapis.com/auth/calendar
   • https://www.googleapis.com/auth/admin.directory.user.readonly
   • https://www.googleapis.com/auth/admin.directory.domain.readonly
   • https://www.googleapis.com/auth/drive
   • https://www.googleapis.com/auth/gmail.modify
9. Click Authorise.

As a result, your new Google Cloud project can access the data in your Google Workspace account. To back up the data, you need to link this project to the Cyber Protection service. For more information on how to do this, refer to To add a Google Workspace organization by using a dedicated personal Google Cloud project

If you need to revoke the access of your Google Cloud project to your Google Workspace account, and respectively the access of the Cyber Protection service, delete the API client that your project uses.