Granting Additional Permissions for Google Service Accounts

  1. Go to the Google Workspace Admin Console: admin.google.com.

  2. Navigate to Security > Access and Data Control > API Controls > Domain-wide Delegation.

  3. Select Add New.

    1. Client id: from the service account in GCP copy the client id

    2. Auth scope: fill in the list from the next step

  4. Select the relevant service account.

  5. Select Edit, and add the following scopes:

Copy 
https://www.googleapis.com/auth/cloudplatformorganizations.readonly, 

https://www.googleapis.com/auth/admin.directory.customer.readonly, 

https://www.googleapis.com/auth/admin.directory.domain.readonly, 

https://www.googleapis.com/auth/admin.directory.group.member.readonly, 

https://www.googleapis.com/auth/admin.directory.group.readonly, 

https://www.googleapis.com/auth/admin.directory.notifications, 

https://www.googleapis.com/auth/admin.directory.orgunit.readonly, 

https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, 

https://www.googleapis.com/auth/admin.directory.user.readonly, 

https://www.googleapis.com/auth/admin.directory.userschema.readonly, 

https://www.googleapis.com/auth/admin.reports.audit.readonly, 

https://www.googleapis.com/auth/cloud-platform.read-only