Re deploy web app for a new admin
NOTE: This deployment process will only work for users with necessary (Editor) access to the project.
Each userDelegation admin needs their own service account, so their actions are logged individually in the OAuth audit log.
The name syntax matters as the length is restricted. Don't use dots or spaces, dash is fine.
userDelegation-new-admin-221222
That translates to name of application - username reference - date of creation
There is also a description for each service account, and it looks like this.
Service account used to let new.admin delegate Gmail
The description should be short but also descriptive. Best is to re-use the exact same syntax for every admin, and only replace the user and date references.
- Click CREATE SERVICE ACCOUNT, and enter details of the new admin.
- Click CREATE AND CONTINUE, and then CONTINUE, followed by DONE.
You are now back in the list of service accounts. - Click to open the new service account.
Verify that the Service account details are correct.
- Make sure it’s set to JSON and click CREATE.
Ths JSON file should now be downloaded to your computer, and a dialogue says so.
Close it. - Open the downloaded JSON file in a text editor, as we will copy the credentials from it to the secrets.gs file in the web app script.
- Open the userDelegation Apps Script.
- Open/Click secrets.gs in the left menu. There may already be credentials from previous deployments. We will now replace them.
- On line 8, replace the private_key_id with the new value from line 4 in the JSON file.
This is for reference only, it has no functionality. - On line 12, replace the very long private_key from line 5 in the JSON file.
Make sure to replace everything between the quotation marks. Do note that in the script they are single quotes, but in the JSON they are double. Do not replace the quotes in the script. Do not replace the entire line! Only the private key. - On line 13, replace the client_email from line 6 in the JSON file.
- Open/click code.gs in the left menu.
- On line 2 replace the email address with the address to the new userDelegation admin.
This code will verify that the user trying to access the userDelegation web app is actually logged into the listed account. - Set a new password for the new admin.
The above settings (7 & 8) are the security features of this web app, as without them anyone with the URL to the web app can list and manage delegations in your domain. You may choose to use only the user verification. If so, remove the second half of the IF line.
&& e.parameter.key == "SomePasswordHere"
- Enter a description for this new deployment.
Just like with the service account description it should refer to who the new admin is, and what the deployment is for. The original deployment says the following.
userDelegation for mathas.advania@kunskapsskolan.se
- Copy that text and replace the email address with the new admin’s address.
- Leave the other settings as is. Click Deploy.
- Click the Copy button to copy the Web app URL. Finish with Done.
Give the web app URL to the new userDelegation admin.
Or wait till you've completed Step 3 and allowed some time for propagation.
If you ever need it again, you can pick it up in Deploy, Manage deployments.
Each deployment has their own unique URL. Admins can’t use someone else’s URL.
- Open the service account page again. Copy the OAuth 2 client ID for the new account.
- Open DwD in Google admin console. Click Add new.
- Paste the client ID into the field for Client ID.
- Then copy the scopes below and paste them into the field for OAuth scopes.
https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email
- Authorise
It may take a while for the Domain wide Delegation access to propagate.
Until it has propagated, the admin will see an “unknown reason” as an error message.
Please, read the documentation - All of A, B & C must be done before it can be run for the first time.