I had to figure this out for the nyt-connections
project but wound up not using it because even with this auth scheme you can't list messages from chat rooms which allow non-domain users to be added.
Create a service account in https://console.cloud.google.com/iam-admin/serviceaccounts?supportedpurview=project
Delegating domain-wide authority to the service account (needs a pro workspace):
- From your Google Workspace domain's Admin console, go to Main menu menu > Security > Access and data control > API Controls.
- In the Domain wide delegation pane, select Manage Domain Wide Delegation.
- Click Add new.
- In the Client ID field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
- In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to. Add:
https://www.googleapis.com/auth/chat.messages.readonly
- Click Authorize.
Put the service account credentials json file contents into a secret:
cat ~/Downloads/nyt-connections-2a220302a411.json | jq -c | pbcopy
wrangler secret put GCP_SERVICE_ACCOUNT
Put the spaces/xxx
ID into a secret:
wrangler secret put SPACE_ID
Put the account you want to delegate access to the service account from:
wrangler secret put GCP_DELEGATED_ACCESS_ACCOUNT
For local development, make .dev.vars
:
GCP_SERVICE_ACCOUNT=...
SPACE_ID=...
GCP_DELEGATED_ACCESS_ACCOUNT=...