| organization | category | icon_url | brand_color | display_name | short_name | description | og_description | og_image | |
|---|---|---|---|---|---|---|---|---|---|
Turbot |
|
/images/plugins/turbot/googleworkspace.svg |
#ea4335 |
Google Workspace |
googleworkspace |
Steampipe plugin for querying users, groups, org units and more from your Google Workspace. |
Query Google Workspace with SQL! Open source CLI. No DB required. |
/images/plugins/turbot/googleworkspace-social-graphic.png |
Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
For example:
select
summary,
hangout_link,
start_time,
end_time
from
googleworkspace_calendar_my_event
where
start_time > now()::timestamp
and end_time < ('now'::timestamp + interval '1 day');+----------------+--------------------------------------+---------------------+---------------------+
| summary | hangout_link | start_time | end_time |
+----------------+--------------------------------------+---------------------+---------------------+
| Product Review | https://meet.google.com/ris-zooa-rxo | 2021-08-18 12:30:00 | 2021-08-18 13:00:00 |
+----------------+--------------------------------------+---------------------+---------------------+
Download and install the latest Google Workspace plugin:
steampipe plugin install googleworkspace| Item | Description |
|---|---|
| Credentials | 1. To use domain-wide delegation, generate your service account and credentials and delegate domain-wide authority to your service account. Enter the following OAuth 2.0 scopes for the services that the service account can access:https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/contacts.readonly,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/gmail.readonly2. To use OAuth client, configure your credentials. |
| Radius | Each connection represents a single Google Workspace account. |
| Resolution | 1. Credentials from the JSON file specified by the credential_file parameter in your Steampipe config.2. Credentials from the JSON file specified by the token_path parameter in your Steampipe config.3. Credentials from the default json file location (~/.config/gcloud/application_default_credentials.json). |
Installing the latest googleworkspace plugin will create a config file (~/.steampipe/config/googleworkspace.spc) with a single connection named googleworkspace:
connection "googleworkspace" {
plugin = "googleworkspace"
# You may connect to Google Workspace using more than one option:
# 1. To authenticate using domain-wide delegation, specify a service account credential file and the user email for impersonation
# `credential_file` (optional) - The path to a JSON credential file that contains service account credentials.
#credential_file = "/path/to/my/creds.json"
# `impersonated_user_email` (required) - The email (string) of the user which should be impersonated. Needs permissions to access the Admin APIs.
# `impersonated_user_email` must be set, since the service account needs to impersonate a user with Admin API permissions to access the workspace services.
#impersonated_user_email = "username@domain.com"
# 2. To authenticate using OAuth 2.0, specify a client secret file
# `token_path` (optional) - The path to a JSON credential file that contains Google application credentials.
# If `token_path` is not specified in a connection, credentials will be loaded from:
# - The path specified in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, if set; otherwise
# - The standard location (`~/.config/gcloud/application_default_credentials.json`)
#token_path = "~/.config/gcloud/application_default_credentials.json"
}- Open source: https://github.com/turbot/steampipe-plugin-googleworkspace
- Community: Slack Channel
You can use client secret credentials to protect the user's data by only granting tokens to authorized requestors. Use following steps to configure credentials:
-
Create an OAuth client ID credential with the application type
Desktop app, and download the client secret JSON file. -
Wherever you have the Google Cloud SDK installed, run the following command with the correct client secret JSON file parameters:
gcloud auth application-default login \ --client-id-file=client_secret.json \ --scopes="\ https://www.googleapis.com/auth/calendar.readonly,\ https://www.googleapis.com/auth/contacts.other.readonly,\ https://www.googleapis.com/auth/contacts.readonly,\ https://www.googleapis.com/auth/directory.readonly,\ https://www.googleapis.com/auth/drive.readonly,\ https://www.googleapis.com/auth/gmail.readonly"
-
In the browser window that just opened, authenticate as the user you would like to make the API calls through.
-
Review the output for the location of the Application Default Credentials file, which usually appears following the text
Credentials saved to file:. -
Set the Application Default Credentials filepath in the Steampipe config
token_pathor in theGOOGLE_APPLICATION_CREDENTIALSenvironment variable.
The Google Workspace plugin will use the standard Google environment variables to obtain OAuth client credentials only if other arguments (credential_file, token_path) are not specified in the connection:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/creds.json