Customers with Virtru for Drive subscriptions have various options on how to protect their Drive content. This includes the ability to configure a Google service account for Shared Drive compatibility. This allows users to access encrypted content in any Shared Drive where they are a member.
Virtru needs to make real-time access-based decisions around whether a user is allowed to access content within a particular Shared Drive. To do so, Virtru must utilize a “service account” from Google to make calls to the Shared Drive API. This service account needs the drive.metadata.readonly scope.
The specific calls we will be making are outlined here: Drives: list
A service account is needed because Shared Drive functions differently than My Drive with respect to how files are owned and shared. Shared Drive limits files moving into and out of the Shared Drive and is intended to support established teams with expected membership changes and user turnover. In order to support this complex flow, Virtru must determine access permissions based on Shared Drive membership at the time of each access attempt.
Will a service account always be needed?
Virtru has investigated the available options from Google to ensure that proper file access is maintained for Shared Drive files. With the available APIs, the service account approach outlined in this document is the best path forward. We are working in partnership with Google to ensure that Shared Drive APIs are evolving and maturing to accommodate more granular permissions.
Service account setup
If you have not been assigned a Virtru representative to assist with Drive installation, please contact your Customer Success Manager or Customer Support prior to completing the steps below. Action is required on the Virtru side to complete the installation.
1. As a G Suite admin, go to https://console.developers.google.com/iam-admin/serviceaccounts/
2. Select “Create Project”
3. Name the project, for example virtru for team drive then select CREATE
4. You will be directed to service accounts page. Click CREATE SERVICE ACCOUNT
5. Enter the service account details. For the name you can enter “virtrufordrive”. For the service account you can enter “Team Drive Membership”. Then click CREATE AND CONTINUE
6. For the next step - Grant this service account access to project - Grant this service account access to project - select a “role”. Choose: Service account > Service Account user. Then click CONTINUE
7. For the next step - Grant users access to this service account (optional) - Leave this one as is and hit DONE
8. Click on the newly created service account.
9. Select the DETAILS section. Then click SHOW DOMAIN-WIDE DELEGATION and select Enable Google Workspaces Domain-wide Delegation
Enter a product name for the consent screen. E.g. virtru team drive service account. Hit SAVE (no discernible action). Then click the carrot to collapse that section again
10. Select the Keys section, and click ADD KEY, then Create new key
11. Select JSON key type and click CREATE
12. A JSON file will be downloaded. Save this so you can securely email it to Virtru (will be explained in later step)
13. Hit the back arrow and go back to the page with the service account. On the service account line, click
View Client ID and copy the
Client ID listed there
13. Head to the webpage admin.google.com. Select Security > API Controls > Manage domain wide delegation
14. Click Add New
15. Paste the
Client ID you copied to Client ID field and add the following to One or More API Scopes: https://www.googleapis.com/auth/drive.metadata.readonly
Then click Authorize
16. Next, navigate to https://console.developers.google.com/
17. Click enable API Services at the top of the page
18. Search for "Google Drive"
19. Click Google Drive API in the results
20. Select Enable
21. Send a secure Virtru email (encrypted email) to firstname.lastname@example.org with the JSON file attached and let us know that you are sending this for your Virtru for Drive service account set up.