Customers with Virtru for Drive subscriptions have various options on how to protect their Drive content. This includes the ability to configure a Google service account for Shared Drive compatibility. This allows users to access encrypted content in any Shared Drive where they are a member.
Virtru needs to make real-time access-based decisions around whether a user is allowed to access content within a particular Shared Drive. To do so, Virtru must utilize a “service account” from Google to make calls to the Shared Drive API. This service account needs the drive.metadata.readonly scope.
The specific calls we will be making are outlined here: Drives: list
A service account is needed because Shared Drive functions differently than My Drive with respect to how files are owned and shared. Shared Drive limits files moving into and out of the Shared Drive and is intended to support established teams with expected membership changes and user turnover. In order to support this complex flow, Virtru must determine access permissions based on Shared Drive membership at the time of each access attempt.
Will a service account always be needed?
Virtru has investigated the available options from Google to ensure that proper file access is maintained for Shared Drive files. With the available APIs, the service account approach outlined in this document is the best path forward. We are working in partnership with Google to ensure that Shared Drive APIs are evolving and maturing to accommodate more granular permissions.
Service account setup
If you have not been assigned a Virtru representative to assist with Drive installation, please contact your Customer Success Manager or Customer Support prior to completing the steps below. Action is required on the Virtru side to complete the installation.
1. As a Google Workspace admin, go to https://console.developers.google.com/iam-admin/serviceaccounts/
2. Select “Create Project”
3. Name the project, for example, Virtru for team drive then select CREATE
4. You will be directed to the service accounts page. Click CREATE SERVICE ACCOUNT
5. Enter the service account details. For the name, you can enter “virtrufordrive”. For the service account, you can enter “Team Drive Membership”. Then click CREATE AND CONTINUE
6. For the next step - Grant this service account access to the project - Grant this service account access to project - select a “role”. Choose Service account > Service Account user. Then click CONTINUE
7. For the next step - Grant users access to this service account (optional) - Leave this one as is and hit DONE
8. Select the Keys section, and click ADD KEY, then Create new key
9. Select JSON key type and click CREATE
10. A JSON file will be downloaded. Save this so you can securely email it to Virtru (which will be explained in a later step)
11. Click on the newly created service account.
12. Select the DETAILS section. Then click Advanced Settings to set up Google Workspaces Domain-Wide Delegation
13. Copy the
Unique ID which is also called the
OAuth 2 Client ID listed inside of the "Advanced Settings"
14. Head to the webpage admin.google.com. Select Security > Access and Data Control > API Controls > Manage Domain Wide Delegation
15. Click Add New
16. Paste the
Client ID you copied to Client ID field and add the following to One or More API Scopes: https://www.googleapis.com/auth/drive.metadata.readonly
Then click Authorize
17. Next, navigate to https://console.developers.google.com/
18. Click enable API Services at the top of the page
19. Search for "Google Drive"
20. Click Google Drive API in the results
21. Select Enable
22. Send a secure Virtru email (encrypted email) to firstname.lastname@example.org with the JSON file attached and let us know that you are sending this for your Virtru for Drive service account set up.