Google: Service Account

Using service accounts is more complex than OAuth2. Before you begin:

• Check if your node is compatible with Service Account.
• Make sure you need to use Service Account. For most use cases, OAuth2 is a better option.
• Read the Google documentation on Creating and managing service accounts.

Prerequisites

• Create a Google Cloud account.

Set up Service Account

There are four steps to connecting your n8n credential to a Google Service Account:

1. Create a Google Cloud Console project.
2. Enable APIs.
3. Set up Google Cloud Service Account.
4. Finish your n8n credential.

Create a Google Cloud Console project

First, create a Google Cloud Console project. If you already have a project, jump to the next section:

1. 使用您的 Google 凭据登录到您的 Google Cloud 控制台。
2. 在顶部菜单中，选择顶部导航中的项目下拉菜单并选择新建项目，或直接转到新建项目页面。
3. 输入项目名称并为您的项目选择位置。
4. 选择创建。

5. 检查顶部导航并确保项目下拉菜单已选择您的项目。如果没有，请选择您刚创建的项目。

   

   检查 Google Cloud 顶部导航中的项目下拉菜单

Enable APIs

With your project created, enable the APIs you'll need access to:

1. 访问您的 Google Cloud 控制台 - 库。确保您在正确的项目中。

   

   检查 Google Cloud 顶部导航中的项目下拉菜单

2. 转到 API 和服务 > 库。
3. 搜索并选择您要启用的 API。例如，对于 Gmail 节点，搜索并启用 Gmail API。

4. 某些集成需要其他 API 或需要您请求访问权限：

   • Google Perspective：请求 API 访问权限。
   • Google Ads：获取开发者令牌。

   需要 Google Drive API

   以下集成除了需要自己的 API 外，还需要 Google Drive API：

   • Google Docs
   • Google Sheets
   • Google Slides

   Google Vertex AI API

   除了 Vertex AI API，您还需要启用 Cloud Resource Manager API。

5. 选择启用。

Set up Google Cloud Service Account

1. Access your Google Cloud Console - Library. Make sure you're in the correct project.

   

   Check the project dropdown in the Google Cloud top navigation

2. Select the hamburger menu > APIs & Services > Credentials. Google takes you to your Credentials page.

3. Select + CREATE CREDENTIALS > Service account.
4. Enter a name in Service account name and an ID in Service account ID. Refer to Creating a service account for more information.
5. Select CREATE AND CONTINUE.
6. Based on your use-case, you may want to Select a role and Grant users access to this service account using the corresponding sections.
7. Select DONE.
8. Select your newly created service account under the Service Accounts section. Open the KEYS tab.
9. Select ADD KEY > Create new key.
10. In the modal that appears, select JSON, then select CREATE. Google saves the file to your computer.

Finish your n8n credential

With the Google project and credentials fully configured, finish the n8n credential:

1. Open the downloaded JSON file.
2. Copy the client_email and enter it in your n8n credential as the Service Account Email.

3. Copy the private_key. Don't include the surrounding " marks. Enter this as the Private Key in your n8n credential.

   Older versions of n8n

   If you're running an n8n version older than 0.156.0, replace all instances of \n in the JSON file with new lines.

4. Optional: Choose if you want to Impersonate a User (turned on).

   1. To use this option, you must Enable domain-wide delegation for the service account as a Google Workspace super admin.
   2. Enter the Email of the user you want to impersonate.
5. If you plan to use this credential with the HTTP Request node, turn on Set up for use in HTTP Request node.
   1. With this setting turned on, you'll need to add Scope(s) for the node. n8n prepopulates some scopes. Refer to OAuth 2.0 Scopes for Google APIs for more information.
6. Save your credentials.

Video

The following video demonstrates the steps described above.

Troubleshooting

Service Account can't access Google Drive files

A Service Account can't access Google Drive files and folders that weren't shared with its associated user email.

1. Access your Google Cloud Console and copy your Service Account email.
2. Access your Google Drive and go to the designated file or folder.
3. Right-click on the file or folder and select Share.
4. Paste your Service Account email into Add People and groups.
5. Select Editor for read-write access or Viewer for read-only access.

Enable domain-wide delegation

To impersonate a user with a service account, you must enable domain-wide delegation for the service account.

Not recommended

Google recommends you avoid using domain-wide delegation, as it allows impersonation of any user (including super admins) and can pose a security risk.

To delegate domain-wide authority to a service account, you must be a super administrator for the Google Workspace domain. Then:

1. From your Google Workspace domain's Admin console, select the hamburger menu, then select Security > Access and data control > API Controls.
2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
3. Select Add new.
4. In the Client ID field, enter the service account's Client ID. To get the Client ID:
   • Open your Google Cloud Console project, then open the Service Accounts page.
   • Copy the OAuth 2 Client ID and use this as the Client ID for the Domain Wide Delegation.
5. In the OAuth scopes field, enter a list of comma-separate scopes to grant your application access. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
6. Select Authorize.

It can take from 5 minutes up to 24 hours before you can impersonate all users in your Workspace.