After successfully building our first flow for ticket and question case creation for salesforces from our contact form now we want to include our incoming emails to our info account to the flow. We are having some issues after creating the google service account and allowing domain-wide access, we have followed the following steps:
Step 1: Create a Google Cloud Project
- Log in to the Google Cloud Console at https://console.cloud.google.com/.
- Create a New Project:
- Click on the project drop-down in the top-left corner next to the Google Cloud logo.
- Click “New Project.”
- Enter a project name and select your organization. Then click “Create.”
- Enable the Gmail API:
- In the left-hand menu, go to “APIs & Services” > “Library.”
- Search for “Gmail API” and click on it.
- Click “Enable” to enable the Gmail API for your project.
Step 2: Create a Service Account
- Navigate to Service Accounts:
- In the Google Cloud Console, go to “IAM & Admin” > “Service Accounts.”
- Click “Create Service Account.”
- Fill in the Service Account Details:
- Enter a name for the service account and an optional description.
- Click “Create.”
- Grant the Service Account Access to the Project:
- In the “Service account permissions” section, you can leave it blank for now, or assign it roles like “Viewer” if needed. Click “Continue.”
- Skip the “Grant users access to this service account” step by clicking “Done.”
- Create and Download the JSON Key:
- After creating the service account, click on it in the list.
- Go to the “Keys” tab and click “Add Key” > “Create New Key.”
- Select “JSON” and click “Create.” A JSON file will be downloaded automatically. This is the file you need to provide to your Palantir setup.
Step 3: Enable Domain-Wide Delegation (for G Suite / Google Workspace Admin)
- Edit the Service Account:
- Go back to the “Service Accounts” page in the Google Cloud Console.
- Click on the service account you just created.
- Click the “Show Domain-Wide Delegation” checkbox under “Domain-wide Delegation.”
- Save changes.
- Set Up Domain-Wide Delegation:
- Go to the Google Admin Console at https://admin.google.com.
- Navigate to “Security” > “API Controls.”
- Click “Manage Domain-Wide Delegation” at the bottom of the API Controls page.
- Click “Add New” and enter the Client ID. The Client ID can be found on the Service Account page in the Google Cloud Console under “Details.”
- In the “OAuth Scopes” field, add the scopes you need. For Gmail, you would generally include:
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.send
- Click “Authorize.”
Step 4: Provide the JSON Key File and Email Address
- JSON Key File: Provide the JSON key file you downloaded earlier to the user (you, in this case) who needs to set up the connection in Palantir.
- Email Address: If domain-wide delegation is set up, provide the email address of the user whose Gmail data will be accessed.
Setting Up the Connection:
- AuthScheme:
- Set this to
OAuthJWT
, which indicates that you’ll be using OAuth JWT for authentication.
- InitiateOAuth:
- Set this to
GETANDREFRESH
. This will instruct the driver to automatically manage the OAuth tokens, including refreshing them when needed.
- OAuthJWTCert:
- Here, you need to provide the path to the JSON key file. If you are uploading it directly in Palantir, you might need to reference the file or paste the content if the interface allows.
- OAuthJWTCertType:
- Set this to
GOOGLEJSONBLOB
as you’re using a JSON key file.
- OAuthJWTSubject (Optional):
- If you are using domain-wide delegation, set this to the email address of the user whose data you need to access. If you don’t need to impersonate a user, you can leave this blank.
Optional: Testing the Service Account
- Use the Google OAuth Playground (https://developers.google.com/oauthplayground) to test the service account:
- In Step 1, select the required API scopes.
- In Step 2, provide the service account’s client ID and secret if testing manually.
Final Notes
- Security: Ensure that the JSON file is stored securely, as it contains sensitive information.
- Permissions: If the service account needs more permissions, these can be adjusted under “IAM & Admin” > “IAM” in the Google Cloud Console by assigning additional roles.
But we are getting the following error: The explorer command failed to run: java.lang.Throwable:RemoteException: INVALID_ARGUMENT (MagritteExplorer:SqlError) with instance ID xxxxxxxxx: {reason=Failed to retrieve OAuth token information. unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested., sqlState=HY000, vendorCode=0, originalErrorInstanceId=xxxxxxxxxxx, stacktrace=com.palantir.magritte.explorer.jdbc.MagritteExplorerErrors.sqlError(MagritteExplorerErrors.java:25)