Skip to main content

Google Drive

Visualize Google Drive Shared Drives and their contents, map file permissions and access controls, and monitor changes to files and folders through queries and alerts.

Installation

For this integration, you will need to add the necessary API scope to your Google Workspace for the JupiterOne Service Account.

Understanding impersonation

The Google Drive integration uses Domain-Wide Delegation to access your organization's Drive data. Here's how it works:

  • The JupiterOne service account is configured in Google Cloud Platform with Domain-Wide Delegation enabled.
  • In the Google Admin Console, you grant OAuth scopes to the service account.
  • On each request, the service account impersonates a real user from your domain.
  • Effective permissions = OAuth scopes granted ∩ permissions of the impersonated user.

Requirements for the impersonated user

The user you configure as the Admin Email in JupiterOne will be impersonated by the service account. This user needs:

  • To be an active user in your Google Workspace domain
  • To have access to Google Drive (a basic Workspace license is sufficient)
  • To be a member of the Shared Drives you want to ingest

The impersonated user does not need to be a Super Admin or have any special admin privileges.

What the integration can see:

Since the integration uses the drive.readonly scope, it will only be able to read:

  • Files and folders in Shared Drives where the impersonated user is a member
  • Metadata such as owners, permissions, dates, and sizes

Recommendation: Create a dedicated service user (e.g., jupiterone-drive@yourdomain.com) and add it as a member to all Shared Drives you want JupiterOne to ingest.

Add the JupiterOne API scope

Log in to the Google Workspace Admin Console as a super administrator to perform the following actions:

  1. Click Account Settings > Profile and retrieve your Customer ID. It will have a format similar to C1111abcd. Alternatively, click Security and expand Setup single sign-on (SSO) for SAML applications and copy the idpid property value from the SSO URL. For example, https://accounts.google.com/o/saml2/idp?idpid=C1111abcd provides the ID C1111abcd. Retain this value for the Customer ID field in the JupiterOne integration configuration.

  2. Return to the Admin Console home page. Click Security > API controls.

  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

  4. Click Add new and enter the JupiterOne Service Account client ID 105066730509134419857 into the Client ID field.

  5. Add the following API scope:

    https://www.googleapis.com/auth/drive.readonly

  6. Click Authorize.

Configuration in JupiterOne

To add the Google Drive integration in JupiterOne, navigate to the Integrations tab and select Google Drive. Click New Instance to begin configuring your integration. Enter the following:

  • Account Name by which you want to identify this Google Drive account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.
  • Description that assists your team when identifying the integration instance.
  • Select a Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.
  • Enter the Customer ID collected during the setup of Google Workspace.
  • Enter the Admin Email of the Google Workspace user that the service account will impersonate. This user must be a member of the Shared Drives you want to ingest.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.