Customers with Virtru for Drive subscriptions have various options on how to protect their Drive content. This includes the ability to configure a Google service account for Shared Drive compatibility. This allows users to access encrypted content in any Shared Drive they are a member of.
Virtru needs to make real-time access-based decisions around whether a user is allowed to access content within a particular Shared Drive. To do so, Virtru must utilize a “service account” from Google to make calls to the Shared Drive API. This service account needs the drive.metadata.readonly scope.
The specific calls we will be making are outlined here: Drives: list
A service account is needed because Shared Drive functions differently than My Drive with respect to how files are owned and shared. Shared Drive limits files moving into and out of the Shared Drive and is intended to support established teams with expected membership changes and user turnover. In order to support this complex flow, Virtru must determine access permissions based on Shared Drive membership at the time of each access attempt.
Will a service account always be needed?
Virtru has investigated the available options from Google to ensure that proper file access is maintained for Shared Drive files. With the available APIs, the service account approach outlined in this document is the best path forward.
We are working in partnership with Google to ensure that Shared Drive APIs are evolving and maturing to accommodate more granular permissions.
Service account setup
If you have not been assigned a Virtru representative to assist with Drive installation, please contact your Customer Success Manager or Customer Support prior to completing the steps below. Action is required on the Virtru side to complete the installation.
1. As a G Suite admin, go to https://console.developers.google.com/iam-admin/serviceaccounts/
2. Select create a NEW PROJECT for the domain.
3. Name the project and click CREATE.
4. Choose + CREATE SERVICE ACCOUNT
5. Enter any name and click CREATE
Example: (Virtru for Drive)
6. Select a Role: "Service Account User"
7. For Grant users access to this service account, leave the default.
8. Select + CREATE KEY at the bottom, select the JSON key type and click CREATE.
9. After the key has been created click Done
10. Select the service account that you just created by clicking on the service account email link and then click edit at the top.
11. Select the show domain-wide delegation drop-down and check Enable G-suite wide delegation
12. Enter a product name for the consent screen
13. Copy the Unique ID from your newly created service account
14. Click Save at the bottom
15. Go to https://admin.google.com
16. Go to Security > API controls and select MANAGE DOMAIN WIDE DELEGATION
17. Click Add new, paste the Client ID you copied, and add the following to the `OAuth scopes` field: https://www.googleapis.com/auth/drive.metadata.readonly
18. Click AUTHORIZE
19. Navigate to: https://console.developers.google.com/
20. Click + ENABLE APIS AND SERVICES at the top of the page
21. Search for Drive
22. Click the Drive tile
23. ENABLE the Drive API