organization | category | icon_url | brand_color | display_name | short_name | description | og_description | og_image | engines | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Turbot |
|
/images/plugins/turbot/googleworkspace.svg |
#ea4335 |
Google Workspace |
googleworkspace |
Steampipe plugin for querying users, groups, org units and more from your Google Workspace. |
Query Google Workspace with SQL! Open source CLI. No DB required. |
/images/plugins/turbot/googleworkspace-social-graphic.png |
|
Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.
For example:
select
summary,
hangout_link,
start_time,
end_time
from
googleworkspace_calendar_my_event
where
start_time > now()::timestamp
and end_time < ('now'::timestamp + interval '1 day');
+----------------+--------------------------------------+---------------------+---------------------+
| summary | hangout_link | start_time | end_time |
+----------------+--------------------------------------+---------------------+---------------------+
| Product Review | https://meet.google.com/ris-zooa-rxo | 2021-08-18 12:30:00 | 2021-08-18 13:00:00 |
+----------------+--------------------------------------+---------------------+---------------------+
Download and install the latest Google Workspace plugin:
steampipe plugin install googleworkspace
Item | Description |
---|---|
APIs | 1. Go to the Google API Console. 2. Select the project that contains your credentials. 3. Click Enable APIs and Services . 4. Enable: Google Calendar API , Google Drive API , Gmail API , Google People API . |
Credentials | 1. To use domain-wide delegation, generate your service account and credentials and delegate domain-wide authority to your service account. Enter the following OAuth 2.0 scopes for the services that the service account can access:https://www.googleapis.com/auth/calendar.readonly ,https://www.googleapis.com/auth/contacts.readonly ,https://www.googleapis.com/auth/contacts.other.readonly ,https://www.googleapis.com/auth/directory.readonly ,https://www.googleapis.com/auth/drive.readonly ,https://www.googleapis.com/auth/gmail.readonly 2. To use OAuth client, configure your credentials. |
Radius | Each connection represents a single Google Workspace account. |
Resolution | 1. Credentials from the JSON file specified by the credentials parameter in your Steampipe config.2. Credentials from the JSON file specified by the token_path parameter in your Steampipe config.3. Credentials from the default json file location ( ~/.config/gcloud/application_default_credentials.json ). |
Installing the latest googleworkspace plugin will create a config file (~/.steampipe/config/googleworkspace.spc
) with a single connection named googleworkspace
:
connection "googleworkspace" {
plugin = "googleworkspace"
# You may connect to Google Workspace using more than one option:
# 1. To authenticate using domain-wide delegation, specify a service account credential file and the user email for impersonation
# `credentials` - Either the path to a JSON credential file that contains Google application credentials,
# or the contents of a service account key file in JSON format. If `credentials` is not specified in a connection,
# credentials will be loaded from:
# - The path specified in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, if set; otherwise
# - The standard location (`~/.config/gcloud/application_default_credentials.json`)
# - The path specified for the credentials.json file ("/path/to/my/creds.json")
# credentials = "~/.config/gcloud/application_default_credentials.json"
# `impersonated_user_email` - The email (string) of the user which should be impersonated. Needs permissions to access the Admin APIs.
# `impersonated_user_email` must be set, since the service account needs to impersonate a user with Admin API permissions to access the workspace services.
# impersonated_user_email = "username@domain.com"
# 2. To authenticate using OAuth 2.0, specify a client secret file
# `token_path` - The path to a JSON credential file that contains Google application credentials.
# If `token_path` is not specified in a connection, credentials will be loaded from:
# - The path specified in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable, if set; otherwise
# - The standard location (`~/.config/gcloud/application_default_credentials.json`)
# token_path = "~/.config/gcloud/application_default_credentials.json"
}
You can use client secret credentials to protect the user's data by only granting tokens to authorized requestors. Use following steps to configure credentials:
-
Create an OAuth client ID credential with the application type
Desktop app
, and download the client secret JSON file. -
Wherever you have the Google Cloud SDK installed, run the following command with the correct client secret JSON file parameters:
gcloud auth application-default login \ --client-id-file=client_secret.json \ --scopes="\ https://www.googleapis.com/auth/calendar.readonly,\ https://www.googleapis.com/auth/contacts.other.readonly,\ https://www.googleapis.com/auth/contacts.readonly,\ https://www.googleapis.com/auth/directory.readonly,\ https://www.googleapis.com/auth/drive.readonly,\ https://www.googleapis.com/auth/gmail.readonly"
-
In the browser window that just opened, authenticate as the user you would like to make the API calls through.
-
Review the output for the location of the Application Default Credentials file, which usually appears following the text
Credentials saved to file:
. -
Set the Application Default Credentials filepath in the Steampipe config
token_path
or in theGOOGLE_APPLICATION_CREDENTIALS
environment variable.