-
Notifications
You must be signed in to change notification settings - Fork 474
Authorization
- Introduction
- Headless computers and Cloud Shells
- API documentation
- Python Regular Expressions
- Definitions
-
Manage Projects
- Authorize a super admin to create projects
- Authorize Service Account Key Uploads
- Authorize GAM to create projects
- Create a new GCP project folder
- Create a new project for GAM authorization
- Use an existing project for GAM authorization
- Update an existing project for GAM authorization
- Delete an existing project for GAM authorization
- Display projects
- Manage Client credentials
- Manage Service Accounts
- Manage Service Account keys
- Manage Service Account access
-
Configure Limited access
- Limited Client access
- No Client access
- Limited Service Account access
- todrive Service Account access
- No Service Account access possible
- Test Client and Service Account access on your computer
- Install GAM on the limited users computer
- Test Client and Service Account access on the non-administrator computer
- Unselect limited section on your computer.
- Delete old versions of GAM from Configured Apps
GAM requires authorization to perform tasks on your domain; the tasks break down into two categories:
- Client - Manipulate objects in the domain; the Client acts on its own behalf to perform the tasks. Examples: add a user, update a group, delete a class, share a printer.
- Service Account - Manipulate objects that belong to users; the Service Account acts on behalf of the user to perform the tasks. Examples: view user files, calendars.
You create projects that define these authorizations.
Verify the following steps:
- See https://support.google.com/a/answer/9197205?hl=en
- Access the admin console and go to Apps -> Additional Google Services
- Look for the service "Google Cloud Platform", click it
- Expand "Service status"
- Select the OU in the left that contains the super admin you'll be using
- Make sure that "Service status" is ON
- If groups are used to authenticate access, make sure the super admin is in one of the groups
- Collapse "Service status"
- Expand "Cloud Resource Manager API settings"
- Make sure that "Allow users to create projects" is checked
Verify that all scopes are available:
- Access the admin console and go to Apps -> Additional Google Services
- If this line is present:
Access to additional services without individual control for all organizational units is turned Off
- Click "CHANGE"
- Select "ON for everyone"
- Click "SAVE"
Verify that internal apps are trusted.
- Access the admin console and go to Security -> Access and data control -> API Controls
- Check that "Trust internal, domain-owned apps" is present in the Settings section
- Click "SAVE"
If you run a Google Workspace Education SKU, verify that Classroom API is enabled if required.
- Access the admin console and go to Apps -> Google Workspace - Classroom
- Expand "Data access"
- Check "Users can authorize apps to access their Google Classroom data."
- Click "SAVE"
If you run a Google Workspace Education SKU, verify that the super admin you'll be using is in an OU where "All users are 18 or older".
- Access the admin console and go to Accounts -> Account settings
- Expand "Age based access settings"
- Select the OU containing the super admin
- Choose "All users are 18 or older"
- Click "SAVE"
Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
- Access the admin console and go to Security -> Access and data control -> API controls
- Check Trust internal, domain-owned apps
- Click Manage third-party app access
- Click Configure new app and select OAuth App Name Or Client ID
- Paste client_id value from client_secrets.json
- Click Search
- Click Select at right end of line referencing GAM
- Check box to the left of the line with GAM client ID
- Click Select
- Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin
- Click Next/Continue
- Click Trusted: App can request access to all Google data
- Click Next/Continue
- Click Finish
Verify whether the super admin you'll be using is in an OU where reauthentication is required.
- Access the admin console and go to Security -> Overview
- Scroll down and open Google Cloud session control section
- Select the OU containing the super admin
- If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do
gam oauth create
at whatever frequency is specified - If that sounds unappealing, check Exempt Trusted apps
- Click "OVERRIDE"
Additional steps may be required if errors are encountered.
- Authorize a super admin to create projects
- Authorize Service Account Key Uploads
- Authorize GAM to create projects
With many thanks to Jay, gam oauth create
now uses a new client access authentication flow
as required by Google for headless computers/cloud shells; this is required as of February 28, 2022.
- See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html
- OAuth out-of-band (oob) flow will be deprecated
- https://cloud.google.com/resource-manager/docs/creating-managing-organization#adding_an_organization_administrator
- https://cloud.google.com/service-usage/docs/reference/rest
- https://cloud.google.com/resource-manager/reference/rest/v3/projects/create
- https://cloud.google.com/resource-manager/reference/rest/v3/projects/list
- https://cloud.google.com/resource-manager/reference/rest/v3/projects/getIamPolicy
- https://cloud.google.com/iam/docs/understanding-service-accounts
- https://developers.google.com/identity/protocols/oauth2
- https://developers.google.com/identity/protocols/googlescopes
- https://developers.google.com/admin-sdk/directory/v1/guides/delegation
- https://support.google.com/a/answer/7281227?hl=en#zippy=%2Cmanage-access-to-apps-trusted-limited-or-blocked
<APIScopeURL> ::= <String>
<APIScopeURLList> ::= "<APIScopeURL>(,<APIScopeURL>)*"
<ProjectID> ::= <String>
Must match this Python Regular Expression: [a-z][a-z0-9-]{4,28}[a-z0-9]
<ProjectIDList> ::= "<ProjectID>(,<ProjectID>)*"
<ProjectIDEntity> ::=
current | gam | <ProjectID> | (filter <String>) |
(select <ProjectIDList> | <FileSelector> | <CSVFileSelector>)
See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
<ProjectName> ::= <String>
Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
<ServiceAccountName> ::= <String>
Must match this Python Regular Expression: [a-z][a-z0-9-]{4,28}[a-z0-9]
<ServiceAccountDisplayName> ::= <String>
Maximum of 100 characters
<ServiceAccountDescrition> ::= <String>
Maximum of 256 characters
<ServiceAccountEmail> ::= <ServiceAccountName>@<ProjectID>.iam.gserviceaccount.com
<ServiceAccountUniqueID> ::= <Number>
<ServiceAccountKey> ::= <String>
In all of the project commands, the Google Workspace admin/GCP project manager <EmailAddress>
can be omitted; you will be prompted for a value.
You must enter a full address, i.e., user@domain.com; you will be required to authenticate.
For print|show projects
, you can eliminate the password prompt and authentication requirement by specifying the super admin emailaddress used in gam oauth create
.
gam print projects admin admin@domain.com
If you try to create a project and get an error saying that the admin you specified is not authorized to create projects, perform these steps and then retry the create project command.
- Login as an existing super admin at console.cloud.google.com
- In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
- Under IAM & Admin select IAM
- Click the down arrow in the box to the right of Google Cloud
- Click the three dots at the right and select IAM/Permissions
- Now you should be at "Permissions for organization ..."
- Click on Grant Access
- Enter the new admin address in Principals
- Click in the Select a role box
- Type project creator in the Filter box
- Click Project Creator
- Click + Add Another Role
- Type organization policy administrator in the Filter box
- Click Orgainzation Policy Administrator
- Click Save
If you try to create a project and get an error saying that Constraint constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx
,
perform these steps and then you should be able to authorize and use your project.
- Login as an existing super admin at console.cloud.google.com
- In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
- Under IAM & Admin select IAM
- Click the down arrow in the box to the right of Google Cloud
- Click the three dots at the right and select IAM/Permissions
- Now you should be at "Permissions for organization ..."
- Click on Grant Access
- Enter the new admin address in Principals
- Click in the Select a role box
- Type organization policy administrator in the Filter box
- Click Organization Policy Administrator
- Click Save
- In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
- Under IAM & Admin select IAM
- Click the down arrow in the box to the right of Google Cloud
- Click the three dots at the right and select Manage Resources
- Click the three dots at the end of the line for the GAM project just created
- Click Settings
- Click Organization Policies in the left column
- Now you should be at "Policies for Gam Project"
- Click in the Filter box
- Enter iam.disableServiceAccountKeyUpload
- Click the three dots at the end of the Disable Service Account Key Upload
- Choose Edit policy
- Click Override parent's policy
- Click Add A Rule
- Select Enforcement/Off
- Click Done
- Click Set Policy
Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key:
gam upload sakey [admin <EmailAddress>]
If you try to create a project and get an error saying "This app has been blocked on your domain for either being insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted. Perform these steps and then retry the create project command.
- Access the admin console and go to Security -> Access and data control -> API controls
- Click Manage third-party app access
- Click Add app and select OAuth App Name Or Client ID
- Paste 297408095146-fug707qsjv4ikron0hugpevbrjhkmsk7.apps.googleusercontent.com
- Click Search
- Click Select at right end of line referencing GAM Project Creation
- Check box to the left of the line with GAM Project Creation client ID
- Click Select
- Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin
- Click Next/Continue
- Click Trusted: App can request access to all Google data
- Click Next/Continue
- Click Finish/Confirm
This folder can be used in a subsequent gam create project parent <String>
command.
gam create gcpfolder <String>
gam create gcpfolder [admin <EmailAddress] folder <String>
Create a new project to create and download two files: client_secrets.json
for the Client and oauth2service.json
for the Service Account.
On-screen instructions lead you through the process.
An existing project, GAM Project Creation
, is used to create your GAM project. The initial instructions tell you how to
enable this project as a trusted app as your workspace may not allow untrusted third-party apps.
This is recommended but not mandatory unless your workspace has "Google Cloud" service restricted:
If it is restricted and you complete this step it may take an hour or so to take full affect and allow you to approve GAM project creation.
The final instructions tell you how to enable your new GAM project as a trusted app as your workspace may not allow untrusted third-party apps. You can skip these steps if you know that untrusted third-party apps are allowed.
-
<AppName>
- "GAM" -
<ProjectID>
- "gam-project-a1b2c" where "a1b2c" are randomly generated -
<ProjectName>
- "GAM Project" -
<ServiceAccountName>
-<ProjectID>
-
<ServiceAccountDisplayName>
-<ProjectName>
-
<ServiceAccountDescription>
-<ServiceAccountDisplayName>
Create a project with default values for the project and service account.
gam create project [<EmailAddress>] [<ProjectID>]
-
<EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -
<ProjectID>
- A new Google project ID; if omitted, a default value will be used
Create a project with user-specified values for the project and service account.
gam create project [admin <EmailAddress>] [project <ProjectID>]
[appname <String>] [supportemail <EmailAddress>]
[projectname <ProjectName>] [parent <String>]
[saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
[sadescription <ServiceAccountDescription>]
[(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)|
nokey}
-
admin <EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -
appname <String>
- Application name, defaults toGAM
-
supportemail <EmailAddress>
- Administrator to contact about GAM authentication, defaults toadmin <EmailAddress>
-
project <ProjectID>
- A new Google project ID; if omitted, a default value will be used -
projectname <ProjectName>
- Google project name, defaults to "GAM Project" -
parent <String>
- A Resource Manager folder name -
saname <ServiceAccountName>
- Service account name; combined with<ProjectID>
to form<ServiceAccountEmail>
-
sadisplayname <ServiceAccountDisplayName>
- Service account display name -
sadescription <ServiceAccountDescription>
- Service account description
You can optionally specify the type of service account key with algorithm|localkeysize|yubikey
: Manage Service Account keys
Use nokey
if you do not want a service account key created for the project.
Use an existing project to create and download two files: client_secrets.json
for the Client and oauth2service.json
for the Service Account.
-
<ServiceAccountName>
-<ProjectID>
-
<ServiceAccountDisplayName>
-<ProjectName>
-
<ServiceAccountDescription>
-<ServiceAccountDisplayName>
Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when the GCP administrators have created a basic project because project creation is not available for most users.
See Jay's notes about how to do this: https://github.com/GAM-team/GAM/wiki/GAM-with--minimal-GCP-rights
gam use project [<EmailAddress>] [project <ProjectID>]
-
<EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -
<ProjectID>
- An existing Google project ID; if omitted, you will be prompted for the ID
Use an existing project with user-specified values for the service account. If the project is already
a GAM project you must use saname <ServiceAccountName>
as the existing service account information
can not be re-downloaded.
gam use project [admin <EmailAddress>] [project <ProjectID>]
[saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
[sadescription <ServiceAccountDescription>]
[(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
-
admin <EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -
project <ProjectID>
- An existing Google project ID; if omitted, you will be prompted for the ID -
saname <ServiceAccountName>
- Service account name; combined with<ProjectID>
to form<ServiceAccountEmail>
-
sadisplayname <ServiceAccountDisplayName>
- Service account display name -
sadescription <ServiceAccountDescription>
- Service account description
You can optionally specify the type of service account key with algorithm|localkeysize|yubikey
: Manage Service Account keys
This command is used when GAM has added new capabilities that require additional APIs to be added to your project.
gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
-
<EmailAddress>
- A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
current
- The project referenced inclient_secrets.json
; this is the default -
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation
gam delete project [[admin] <EmailAddress>] [<ProjectIDEntity>]
-
<EmailAddress>
- A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
current
- The project referenced inclient_secrets.json
; this is the default -
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation
Display the current Project ID.
gam info currentprojectid
Display Google API projects as an indented list of keys and values.
gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
[states all|active|deleterequested] [showiampolicies 0|1|3]
-
<EmailAddress>
- A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
all
- All projects accessible by the administrator; this is the default -
current
- The project referenced inclient_secrets.json
-
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation -
states all|active|deleterequested
- Limit display to projects based on state; the default isactive
Use the showiampolicies 0|1|3
option to display IAM policy information for the project.
Display Google API projects as columns of fields.
gam print projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>] [todrive <ToDriveAttribute>*]
[states all|active|deleterequested] [showiampolicies 0|1|3 [onememberperrow]]
[delimiter <Character>]] [[formatjson [quotechar <Character>]]
-
<EmailAddress>
- A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
all
- All projects accessible by the administrator; this is the default -
current
- The project referenced inclient_secrets.json
-
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation -
states all|active|deleterequested
- Limit display to projects based on state; the default isactive
Use the showiampolicies 0|1|3
option to display IAM policy information for the project. Each role in the policy will be displayed on
a separate row; by default, all members will be shown on that row. By default, the members are separated by
the csv_output_field_delimiter
from gam.cfg
.
-
delimiter <Character>
- Separate list items with<Character>
Use the onememberperrow
option to show separate rows for each role/member combination.
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
-
formatjson
- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote "
. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the formatjson
option, double quotes are used extensively in the data resulting in hard to read/process output.
The quotechar <Character>
option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar
defaults to gam.cfg/csv_output_quote_char
. When uploading CSV files to Google, double quote "
should be used.
gam oauth|oauth2 create|request [<EmailAddress>]
gam oauth|oauth2 create|request [admin <EmailAddress>] [scopes <APIScopeURLList>]
-
<EmailAddress>
- A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -
scopes <APIScopeURLList>
- A set of specific scopes; if omitted, you will be prompted to select your desired scopes.
You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and writes the credentials into the file oauth2.txt.
gam oauth create
[*] 0) Calendar API (supports readonly)
[*] 1) Chrome Browser Cloud Management API (supports readonly)
[*] 2) Chrome Management API - AppDetails read only
[*] 3) Chrome Management API - Telemetry read only
[*] 4) Chrome Management API - read only
[*] 5) Chrome Policy API (supports readonly)
[*] 6) Chrome Printer Management API (supports readonly)
[*] 7) Chrome Version History API
[*] 8) Classroom API - Course Announcements (supports readonly)
[*] 9) Classroom API - Course Topics (supports readonly)
[*] 10) Classroom API - Course Work/Materials (supports readonly)
[*] 11) Classroom API - Course Work/Submissions (supports readonly)
[*] 12) Classroom API - Courses (supports readonly)
[*] 13) Classroom API - Profile Emails
[*] 14) Classroom API - Profile Photos
[*] 15) Classroom API - Rosters (supports readonly)
[*] 16) Classroom API - Student Guardians (supports readonly)
[ ] 17) Cloud Channel API (supports readonly)
[*] 18) Cloud Identity - Inbound SSO Settings (supports readonly)
[*] 19) Cloud Identity Groups API (supports readonly)
[*] 20) Cloud Identity OrgUnits API (supports readonly)
[*] 21) Cloud Identity User Invitations API (supports readonly)
[ ] 22) Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
[ ] 23) Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
[*] 24) Contact Delegation API (supports readonly)
[*] 25) Contacts API - Domain Shared Contacts and GAL
[*] 26) Data Transfer API (supports readonly)
[*] 27) Directory API - Chrome OS Devices (supports readonly)
[*] 28) Directory API - Customers (supports readonly)
[*] 29) Directory API - Domains (supports readonly)
[*] 30) Directory API - Groups (supports readonly)
[*] 31) Directory API - Mobile Devices Directory (supports readonly and action)
[*] 32) Directory API - Organizational Units (supports readonly)
[*] 33) Directory API - Resource Calendars (supports readonly)
[*] 34) Directory API - Roles (supports readonly)
[*] 35) Directory API - User Schemas (supports readonly)
[*] 36) Directory API - User Security
[*] 37) Directory API - Users (supports readonly)
[ ] 38) Email Audit API
[*] 39) Groups Migration API
[*] 40) Groups Settings API
[*] 41) License Manager API
[*] 42) People API (supports readonly)
[*] 43) People Directory API - read only
[ ] 44) Pub / Sub API
[*] 45) Reports API - Audit Reports
[*] 46) Reports API - Usage Reports
[ ] 47) Reseller API
[*] 48) Site Verification API
[ ] 49) Sites API
[*] 50) Vault API (supports readonly)
Select an unselected scope [ ] by entering a number; yields [*]
For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
Unselect a selected scope [*] by entering a number; yields [ ]
Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
Unselect all scopes by entering a 'u'; yields [ ] for all scopes
Exit without changes/authorization by entering an 'e'
Continue to authorization by entering a 'c'
Note, if all scopes are selected, Google will probably generate an authorization error
Please enter 0-50[a|r] or s|u|e|c: c
Enter your Google Workspace admin email address? admin@domain.com
Go to the following link in a browser on this computer or on another computer:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
The authentication flow has completed.
Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
gam oauth update [<EmailAddress>]
gam oauth update [admin <EmailAddress>]
-
<EmailAddress>
- A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Read API scopes from any version of oauth2.txt
and select a list of APIs; GAM uses a browser to get final authorization from Google for these APIs and
writes the credentials into the file oauth2.txt
.
gam oauth update
[*] 0) Calendar API (supports readonly)
[*] 1) Chrome Browser Cloud Management API (supports readonly)
[*] 2) Chrome Management API - AppDetails read only
[*] 3) Chrome Management API - Telemetry read only
[*] 4) Chrome Management API - read only
[*] 5) Chrome Policy API (supports readonly)
[*] 6) Chrome Printer Management API (supports readonly)
[*] 7) Chrome Version History API
[*] 8) Classroom API - Course Announcements (supports readonly)
[*] 9) Classroom API - Course Topics (supports readonly)
[*] 10) Classroom API - Course Work/Materials (supports readonly)
[*] 11) Classroom API - Course Work/Submissions (supports readonly)
[*] 12) Classroom API - Courses (supports readonly)
[*] 13) Classroom API - Profile Emails
[*] 14) Classroom API - Profile Photos
[*] 15) Classroom API - Rosters (supports readonly)
[*] 16) Classroom API - Student Guardians (supports readonly)
[ ] 17) Cloud Channel API (supports readonly)
[*] 18) Cloud Identity - Inbound SSO Settings (supports readonly)
[*] 19) Cloud Identity Groups API (supports readonly)
[*] 20) Cloud Identity OrgUnits API (supports readonly)
[*] 21) Cloud Identity User Invitations API (supports readonly)
[ ] 22) Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
[ ] 23) Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
[*] 24) Contact Delegation API (supports readonly)
[*] 25) Contacts API - Domain Shared Contacts and GAL
[*] 26) Data Transfer API (supports readonly)
[*] 27) Directory API - Chrome OS Devices (supports readonly)
[*] 28) Directory API - Customers (supports readonly)
[*] 29) Directory API - Domains (supports readonly)
[*] 30) Directory API - Groups (supports readonly)
[*] 31) Directory API - Mobile Devices Directory (supports readonly and action)
[*] 32) Directory API - Organizational Units (supports readonly)
[*] 33) Directory API - Resource Calendars (supports readonly)
[*] 34) Directory API - Roles (supports readonly)
[*] 35) Directory API - User Schemas (supports readonly)
[*] 36) Directory API - User Security
[*] 37) Directory API - Users (supports readonly)
[ ] 38) Email Audit API
[*] 39) Groups Migration API
[*] 40) Groups Settings API
[*] 41) License Manager API
[*] 42) People API (supports readonly)
[*] 43) People Directory API - read only
[ ] 44) Pub / Sub API
[*] 45) Reports API - Audit Reports
[*] 46) Reports API - Usage Reports
[ ] 47) Reseller API
[*] 48) Site Verification API
[ ] 49) Sites API
[*] 50) Vault API (supports readonly)
Select an unselected scope [ ] by entering a number; yields [*]
For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
Unselect a selected scope [*] by entering a number; yields [ ]
Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
Unselect all scopes by entering a 'u'; yields [ ] for all scopes
Exit without changes/authorization by entering an 'e'
Continue to authorization by entering a 'c'
Note, if all scopes are selected, Google will probably generate an authorization error
Please enter 0-50[a|r] or s|u|e|c: c
Enter your Google Workspace admin email address? admin@domain.com
Go to the following link in a browser on this computer or on another computer:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
The authentication flow has completed.
Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
If you have multiple sections in gam.cfg
that reference different oauth2.txt
files, perform an update on each section:
gam select aaa oauth update
gam select bbb oauth update
...
If necessary, update oauth2.txt
from versions of GAM before 5.00.00
.
Refresh the expiration time in oauth2.txt
.
gam oauth refresh
If you have multiple sections in gam.cfg
that reference different oauth2.txt
files, perform a refresh on each section:
gam select aaa oauth refresh
gam select bbb oauth refresh
...
gam oauth|oauth2 delete|revoke
Revoke the credentials in the file oauth2.txt
and then delete the file.
<AccessToken> ::= <String>
<IDToken> ::= <String>
gam oauth|oauth2 info|verify [showsecret] [accesstoken <AccessToken> idtoken <IDToken>] [showdetails]
The Client Secret is not shown by default, user showsecret
to have it displayed.
These options are used for debugging: accesstoken <AccessToken> idtoken <IDToken> showdetails
.
Export oauth2.txt
in JSON form.
gam oauth|oauth2 export [<FileName>]
For GAM version 5.00.00
and later:
- If
<FileName>
is omitted, the JSON data is written tooauth2.txt
. - If
<FileName>
is-
, the JSON data is written to stdout.
For GAM versions before 5.00.00
:
- If
<FileName>
is omitted, the JSON data is written to stdout.
In all of the service account commands, the Google Workspace admin/GCP project manager <EmailAddress>
can be omitted; you will be prompted for a value.
You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
You can add additional service accounts to a project and assign it specific access APIs. This command
creates a new oauth2service.json
file; it will not overwrite an existing file so you must rename the existing
file or define a new section in gam.cfg
that references a different oauth2service_json
or config_dir
.
-
<ServiceAccountName>
- "gam-svcacct-abc-def-jki" where "abc-def-ghi" are randomly generated -
<ServiceAccountDisplayName>
-<ServiceAccountName>
-
<ServiceAccountDescription>
-<ServiceAccountDisplayName>
gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
[saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
[sadescription <ServiceAccountDescription>]
[(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
-
<EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
current
- The project referenced inclient_secrets.json
; this is the default -
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation
Use these options to select user-specified values..
-
saname <ServiceAccountName>
- Service account name; combined with<ProjectID>
to form<ServiceAccountEmail>
-
sadisplayname <ServiceAccountDisplayName>
- Service account display name -
sadescription <ServiceAccountDescription>
- Service account description
You can optionally specify the type of service account key with algorithm|localkeysize|yubikey
: Manage Service Account keys
After adding an additional service account, you can select specific access APIs for it. Selective Service Account access
gam delete svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
(saemail <ServiceAccountEmail>)|(saname <ServiceAccountName>)|(sauniqueid <ServiceAccountUniqueID>)
-
<EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
current
- The project referenced inclient_secrets.json
; this is the default -
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation
Display Service Accounts as an indented list of keys and values.
gam show svcaccts [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
[showsakeys all|system|user]
Display Service Accounts as columns of fields.
gam print svcaccts [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
[showsakeys all|system|user]
[todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
-
<EmailAddress>
- Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
Use these options to select projects.
-
all
- All projects accessible by the administrator; this is the default -
current
- The project referenced inclient_secrets.json
-
gam
- Projects accessible by the administrator that were created by Gam, i.e, their project ID begins withgam-project-
-
<ProjectID>
- A Google API project ID -
filter <String>
- A filter to select projects accessible by the administrator; see the API documentation
By default, no Service Account key information is displayed, use the following options to display keys.
-
showsakeys all
- Display system and user keys; this is the default when keys are displayed -
showsakeys system
- Display system keys -
showsakeys user
- Display user keys
The oauth2service.json
file contains a private key that is used to authenticate Service Account access.
This private key will be referred to as the current
private key.
Each Service Account in a project typically has one private key but it can have multiple keys; this might be the
case if you have several users with Gam access where they will all access the same Service Account but with different keys.
You will distribute different oauth2service.json
files to each user, each with its own private key.
There are several methods for generating private keys:
-
algorithm KEY_ALG_RSA_1024
- Google generates a 1024 bit key; not recommended -
algorithm KEY_ALG_RSA_2048
- Google generates a 2048 bit key -
localkeysize 1024
- Gam generates a 1024 bit key; this is not recommended -
localkeysize 2048
- Gam generates a 2048 bit key; this is the default -
localkeysize 4096
- Gam generates a 4096 bit key -
yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
- Using GAM7 with a YubiKey
When localkeysize
is specified, the optional argument validityhours <Number>
sets the length of time during which the key will be valid and should be used when the GCP constraints/iam.serviceAccountKeyExpiryHours organization policy is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier.
Here are some sample values:
1 hour
8 hours
24 hours ( 1 day)
168 hours ( 7 days)
336 hours (14 days)
720 hours (30 days)
1440 hours (60 days)
2160 hours (90 days)
Create a new Service Account private key; all existing private keys remain valid.
The oauth2service.json
file is updated with the new private key.
Keep a good record of where each Service Account key is used as the keys themselves do not record this information.
The two forms of the command are equivalent; the second form is used by Legacy GAM.
gam create sakey
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
gam rotate sakey retain_existing
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
To distribute oauth2service.json
files with unique private keys perform the following steps:
copy oauth2service.json to oauth2service.save
repeat
gam create sakeys retain_existing
distribute updated oauth2service.json file
copy oauth2service.save to oauth2service.json
Revoke the current Service Account key and replace it with a new private key; all other private keys remain valid.
The oauth2service.json
file is updated with the new private key. If you had previously distributed
this oauth2service.json
file to other users, you must redistribute the updated file as the private key
in the distributed copies has been revoked.
The two forms of the command are equivalent; the second form is used by Legacy GAM.
gam update sakey
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
gam rotate sakey replace_current
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
Create a new Service Account private key; all existing private keys are revoked.
The oauth2service.json
file is updated with the new private key. If you had previously distributed
any oauth2service.json
file to other users, you must redistribute the updated file as the private key
in the distributed copies has been revoked.
This command can be used if your Service Account keys have been compromised; all existing private keys are revoked.
The two forms of the command are equivalent; the second form is used by Legacy GAM.
gam replace sakeys
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
gam rotate sakeys retain_none
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
You can delete Service Accounts keys thus revoking access for that key. Generally, you will
delete a service account key for a distributed copy of an oauth2service.json
file to disable
that user's service account access.
You can disable your current Service Account key if you specify the doit
argument. This is your
acknowledgement that you will have to manually create a new Service Account key in the Developer's Console
or upload a new key with the gam upload sakey
command.
gam delete sakeys <ServiceAccountKeyList>+ [doit]
There are two cases where you will use this command:
- Your workspace is configured to disable service account private key uploads and you are creating a project.
- All of your service account keys have been deleted, either manually or with the
gam delete sakeys
command.
The oauth2service.json
file is updated with the new private key. If you had previously distributed
any oauth2service.json
file to other users, you must redistribute the updated file with the new key.
gam upload sakey [admin <EmailAddress>]
(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
(localkeysize 1024|2048|4096 [validityhours <Number>])|
(yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
There are system keys and user keys; user keys are what Gam uses; GCP uses system keys.
Display Service Account keys as an indented list of keys and values.
gam show sakeys [all|system|user]
-
all
- Display system and user keys; this is the default -
system
- Display system keys -
user
- Display user keys
The private key currently being used in oauth2service.json
will be marked as usedToAuthenticateThisRequest: True
.
Verify that the Service Account credentials have been authorized. If they have not, you will be given instructions as to how to perform the authorization. By default, the following scopes are verified:
https://mail.google.com/
https://sites.google.com/feeds
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/apps.alerts
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/chat.delete
https://www.googleapis.com/auth/chat.memberships
https://www.googleapis.com/auth/chat.messages
https://www.googleapis.com/auth/chat.spaces
https://www.googleapis.com/auth/classroom.announcements
https://www.googleapis.com/auth/classroom.coursework.students
https://www.googleapis.com/auth/classroom.courseworkmaterials
https://www.googleapis.com/auth/classroom.profile.emails
https://www.googleapis.com/auth/classroom.profile.photos
https://www.googleapis.com/auth/classroom.rosters
https://www.googleapis.com/auth/classroom.topics
https://www.googleapis.com/auth/cloud-identity
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/contacts
https://www.googleapis.com/auth/contacts.other.readonly
https://www.googleapis.com/auth/datastudio
https://www.googleapis.com/auth/directory.readonly
https://www.googleapis.com/auth/documents
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.activity
https://www.googleapis.com/auth/drive.admin.labels
https://www.googleapis.com/auth/drive.labels
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/keep
https://www.googleapis.com/auth/spreadsheets
https://www.googleapis.com/auth/tasks
https://www.googleapis.com/auth/userinfo.profile
This scope is verified when user_service_account_access_only = true
in gam.cfg
.
https://www.googleapis.com/auth/apps.groups.migration
Verify/enable service account access for the default list of APIs. The two forms of the command are equivalent.
gam check svcacct <UserTypeEntity> (scope|scopes <APIScopeURLList>)*
gam <UserTypeEntity> check serviceaccount (scope|scopes <APIScopeURLList>)*
-
<UserTypeEntity>
- Typicallyuser <EmailAddress>
, a non-Google Workspace administrator. -
scopes <APIScopeURLList>
- Verify/enable service account access for a set of specific scopes rather than the default list.
Verify/enable service account access for a selected list of APIs rather than the default list. The two forms of the command are equivalent.
If scopes <APIScopeURLList>
is not specified, you will be prompted to select a list of scopes.
gam update svcacct <UserTypeEntity> (scope|scopes <APIScopeURLList>)*
gam <UserTypeEntity> update serviceaccount (scope|scopes <APIScopeURLList>)*
-
<UserTypeEntity>
- Typicallyuser <EmailAddress>
, a non-Google Workspace administrator. -
scopes <APIScopeURLList>
- Verify/enable service account access for a set of specific scopes rather than selecting the scopes.
gam user user@domain.com update serviceaccount
[*] 0) AlertCenter API
[*] 1) Analytics API - read only
[*] 2) Analytics Admin API - read only
[*] 3) Calendar API (supports readonly)
[*] 4) Chat API - Memberships (supports readonly)
[*] 5) Chat API - Messages (supports readonly)
[*] 6) Chat API - Spaces (supports readonly)
[*] 7) Chat API - Spaces Delete
[*] 8) Classroom API - Course Announcements (supports readonly)
[*] 9) Classroom API - Course Topics (supports readonly)
[*] 10) Classroom API - Course Work/Materials (supports readonly)
[*] 11) Classroom API - Course Work/Submissions (supports readonly)
[*] 12) Classroom API - Profile Emails
[*] 13) Classroom API - Profile Photos
[*] 14) Classroom API - Rosters (supports readonly)
[*] 15) Cloud Identity Devices API (supports readonly)
[*] 16) Cloud Resource Manager API v3
[*] 17) Docs API (supports readonly)
[*] 18) Drive API (supports readonly)
[*] 19) Drive API - todrive
[*] 20) Drive Activity API v2 - must pair with Drive API
[*] 21) Drive Labels API - Admin (supports readonly)
[*] 22) Drive Labels API - User (supports readonly)
[*] 23) Forms API
[*] 24) Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
[*] 25) Gmail API - Full Access (Labels, Messages)
[*] 26) Gmail API - Full Access (Labels, Messages) except delete message
[ ] 27) Gmail API - Full Access - read only
[ ] 28) Gmail API - Send Messages - including todrive
[*] 29) Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write
[*] 30) Identity and Access Management API
[*] 31) Keep API (supports readonly)
[*] 32) Looker Studio API (supports readonly)
[*] 33) OAuth2 API
[*] 34) People API (supports readonly)
[*] 35) People API - Other Contacts - read only
[*] 36) People Directory API - read only
[*] 37) Sheets API (supports readonly)
[*] 38) Sheets API - todrive
[*] 39) Sites API
[*] 40) Tasks API (supports readonly)
[ ] 41) Youtube API - read only
Select an unselected scope [ ] by entering a number; yields [*]
For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
Unselect a selected scope [*] by entering a number; yields [ ]
Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
Unselect all scopes by entering a 'u'; yields [ ] for all scopes
Exit without changes/authorization by entering an 'e'
Continue to authorization by entering a 'c'
Please enter 0-41[a|r] or s|u|e|c: c
System time status
Your system time differs from admin.googleapis.com by less than 1 second PASS
Service Account Private Key Authentication
Authentication PASS
Service Account Private Key age; Google recommends rotating keys on a routine basis
Service Account Private Key age: 364 days WARN
Domain-wide Delegation authentication:, User: user@domain.com, Scopes: 34
https://mail.google.com/ PASS (1/34)
https://sites.google.com/feeds PASS (2/34)
https://www.googleapis.com/auth/analytics.readonly PASS (3/34)
https://www.googleapis.com/auth/apps.alerts PASS (4/34)
https://www.googleapis.com/auth/calendar PASS (5/34)
https://www.googleapis.com/auth/chat.delete PASS (6/34)
https://www.googleapis.com/auth/chat.memberships PASS (7/34)
https://www.googleapis.com/auth/chat.messages PASS (8/34)
https://www.googleapis.com/auth/chat.spaces PASS (9/34)
https://www.googleapis.com/auth/classroom.announcements PASS (10/34)
https://www.googleapis.com/auth/classroom.coursework.students PASS (11/34)
https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (12/34)
https://www.googleapis.com/auth/classroom.profile.emails PASS (13/34)
https://www.googleapis.com/auth/classroom.profile.photos PASS (14/34)
https://www.googleapis.com/auth/classroom.rosters PASS (15/34)
https://www.googleapis.com/auth/classroom.topics PASS (16/34)
https://www.googleapis.com/auth/cloud-identity PASS (17/34)
https://www.googleapis.com/auth/cloud-platform PASS (18/34)
https://www.googleapis.com/auth/contacts PASS (19/34)
https://www.googleapis.com/auth/contacts.other.readonly PASS (20/34)
https://www.googleapis.com/auth/datastudio PASS (21/34)
https://www.googleapis.com/auth/directory.readonly PASS (22/34)
https://www.googleapis.com/auth/documents PASS (23/34)
https://www.googleapis.com/auth/drive PASS (24/34)
https://www.googleapis.com/auth/drive.activity PASS (25/34)
https://www.googleapis.com/auth/drive.admin.labels FAIL (26/34)
https://www.googleapis.com/auth/drive.labels FAIL (27/34)
https://www.googleapis.com/auth/gmail.modify PASS (28/34)
https://www.googleapis.com/auth/gmail.settings.basic PASS (29/34)
https://www.googleapis.com/auth/gmail.settings.sharing PASS (30/34)
https://www.googleapis.com/auth/keep PASS (31/34)
https://www.googleapis.com/auth/spreadsheets PASS (32/34)
https://www.googleapis.com/auth/tasks PASS (33/34)
https://www.googleapis.com/auth/userinfo.profile PASS (34/34)
Some scopes Failed!
To authorize them, please go to the following link in your browser:
https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,...
You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page
The "Add a new Client ID" box will open
Make sure that "Overwrite existing client ID" is checked
Click AUTHORIZE
When the box closes you're done
After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
You can configure GAM to allow users limited access to your domain via GAM.
You can limit both client and service account access.
You can repeat these steps if you want to configure multiple limited users;
substitute a unique value for limited
in each of the steps.
In the Admin console, define a new Admin role with the desired privileges, assign it to the limited user and indicate whether it is for all Org Units or a specific Org Unit.
On your computer, perform these initial steps:
Make a subdirectory limited
under the directory specified in gam.cfg config_dir
Create a new section at the end of your gam.cfg
file.
[limited]
config_dir = limited
Copy client_secrets.json
to the limited
subdirectory
Select the limited
section
gam select limited save
Perform these steps to allow limited client access:
Configure todrive
to allow uploading of files to the limited user's Google Drive.
gam config todrive_user limited@domain.com save
If it is not possible to allow the limited user any service account access (this is not common),
perform the following command so that the user can upload files with todrive
using client access.
gam config todrive_clientaccess true save
Authorize the desired client access APIs; this will create oauth2.txt
.
If it is not possible to allow the limited user any service account access,
login as the limited user; you must have assigned Admin API Privileges to the limited user
in the Admin console under Admin roles,
If the limited user will have service account access, login as a Google admin.
gam oauth create
Perform these steps to allow no client access:
Configure todrive
to allow uploading of files to the limited user's Google Drive.
gam config todrive_user limited@domain.com todrive_clientaccess false save
Configure for service account access only.
gam config user_service_account_access_only true save
Make a oauth2.txt
file in the limited
subdirectory with a single line as follows:
{}
This will prevent the limited user from having any client access.
Perform these steps:
Create a a new service account in your project that will be used for the limited user;
this will create oauth2service.json
.
gam add svcacct saname "gam-limited" sadisplayname "GAM Limited"
Authorize the desired APIs; this will update oauth2service.json
with the list of authorized APIs.
Follow the directions to authorize the APIs; remember, you will login to the Admin console as a current
Google administrator.
gam user limited@domain.com update serviceaccount
If you disable a scope that was previously enabled, all of the remaining APIs will pass. However, you should still go to the Admin console and update the client so that only the APIs you've enabled are authorized.
If the limited user is going to use todrive
, authorize these APIs:
Drive API - todrive
Gmail API - Send Messages - including todrive
Sheets API - todrive
These APIs are only used to process todrive
, they do not grant access to other user's files/sheets.
If the limited user is allowed access to other user's files/sheets, authorize these APIs:
Drive API (supports readonly)
Sheets API (supports readonly)
If it is not possible to allow the limited user any service account access (this is not common), perform these steps:
Make a oauth2service.json
file in the limited
subdirectory with a single line as follows:
{}
Issue various Gam commands to verify that the limited user has only the desired access.
Repeat previous steps as required. Once testing is complete, perform the following step
to prevent the limited user from creating/updating oauth2.txt
.
Edit the client_secrets.json
file in the limited
subdirectory to have a single line as follows:
{}
Install GAM on the limited user's computer; it can be a different OS than your computer; if asked by the installer, indicate:
- that you do not want to set up a project
- that you are performing an update
Make the necessary directories.
- Make the GAM configuration directory; this can be different than on your computer.
- Set the GAMCFGDIR environment variable to point to the GAM configuration directory.
- Make a subdirectory
gamcache
under the GAM configuration directory. - Make a subdirectory
limited
under the GAM configuration directory.
Copy gam.cfg
from your computer to the GAM configuration directory on the limited user's computer.
Edit gam.cfg
- Remove any sections other than
[DEFAULT]
and[limited]
- If the GAM configuration directory on the limited users computer is different than that on yours, update these values in the [DEFAULT] section:
- cache_dir
- config_dir
- You may also want to update the GAM downloads directory:
- drive_dir
Copy client_secrets.json
, oauth2.txt
and oauth2service.json
from the limited
subdirectory on your computer to the limited
subdirectory on the limited user's computer.
Issue various Gam commands to verify that the limited user has only the desired access.
If you need to make changes, make them on your computer and then re-copy client_secrets.json
, oauth2.txt
and oauth2service.json
to the limited user's computer.
Once you have finished setting up authorizations for the limited user, you need to reset your gam.cfg
to point to your default section or another section.
gam select default save
gam select <Section> save
In the Admin console, go to Security/Access and Data Control/API Controls/MANAGE THIRD-PARTY APP ACCESS
Click Download list
Select Comma-separated values (.csv)
Click Download
Click Download CSV
The CSV file will be named: owl_apps.csv
Remove the rows of apps you want to keep.
Edit the column Access to UNCONFIGURED for those rows you want to remove.
Click Bulk update list
Click Attach CSV file
Locate owl_apps.csv
Click Upload
Click Upload
Click Confirm
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Verifying a GAM7 Build is Legitimate and Official
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
- GAM with minimal GCP rights
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Account Auditing
- Calendar Settings
- Chat Bot commands
- Chrome Browser Management
- Chrome Policy Settings
- Context Aware Access levels
- Data Transfers
- Domain Verification
- Google Drive Management
- Group Settings
- Inbound SSO Settings
- Managing Admins
- Managing Classroom
- Managing Custom User Schemas
- Managing Devices
- Managing Organizations
- Managing Product Licenses
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- OAuth Authentication Related Commands
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Printers
- Unmanaged Users and Invitations
- User Email Settings
- User Security Settings