-
Notifications
You must be signed in to change notification settings - Fork 473
Running GAM7 securely on a Google Compute Engine
Thanks to Jay Lee for the original version of this document.
GAM7 can run on a Linux or Windows Google Compute Engine (GCE) VM and use the attached service account to access Google Workspace APIs. The advantage of this configuration is that no service account private key is accessible to GAM7 directly and there is no risk of the key being stolen/lost.
GAM7 version 6.50.00 or higher is required.
-
Create a GCP project.
-
Create a service account which will be used by GAM7.
- Enter a value in
Service account name - Enter text in
Service account description - Click
CreateandContinue - Click
ContinueunderGrant this service account access to project - Click
DoneunderGrant users access to this service account
- Enter a value in
-
Grant the service account rights to generate authentication tokens.
- Go to console.cloud.google.com.
- Go to
IAM & Admin>Service accounts - Click on the service account you created (not the default service account).
- Copy the email address of your service account to the clipboard.
- Click on the
Permissionstab. - Click
Grant Access. - In the
New principalstext box, paste the service account email you copied. - Give your service account the
Service Account Token CreatorandView Service Accountsroles. - Click
Save
-
Create a Windows or Linux virtual machine.
- Scroll down and start at Create a VM and attach the service account
- Click
Go to VM instances - Click
Create Instance - Enter a value for
Name - Configure
Manage Tags and Labels - You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
- GAM7 can run on the minimal
e2-microfree tier VM though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM. - Set
Service accountunderIdentity and API access/API and identity management; choose the service account you created above. - Select
Set access for each API - Enable
Cloud Platform - GAM7 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
- Leave other VM instance settings at their defaults unless you know what you are doing.
- Click
Create
-
Install GAM7 on the VM
-
Logout and log back in to the VM, you should now be able to run GAM7 commands like:
gam version
- Create the special
oauth2service.jsonfile GAM7 will use:
gam create gcpserviceaccount
If you'd like, take a look at the generated oauth2service.json file;
you'll notice that while the file has some fields similar to a normal service account file, there is no private_key attribute containing an RSA private key.
- Enable the Google APIs GAM7 will use:
gam enable apis
You are given the option to enable them automatically or manually. Automatic enablement will ask you to authenticate to GAM7. You should authenticate as a user with rights to manage project APIs, probably a project owner. If you are not the project owner you can choose manual enablement and GAM7 will provide two or more URLs which you can send to the project owner. When the owner opens these URLs, they'll be prompted to enable all the APIs GAM7 needs.
-
Perform admin actions (manage users, groups, orgunits, Chrome devices, etc)
- Configure delegated admin service account (DASA); start at step 4.
-
Manage user data
- Run
gam user [email protected] check serviceaccountand follow the instructions to perform domain-wide delegation.
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- Group Settings
- Data Transfers
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Managing Custom User Schemas
- User Email Settings
- User Security Settings
- Managing Classroom
- Managing Devices
- Chrome Policy Settings
- Chrome Browser Management
- Calendar Settings
- Unmanaged Users and Invitations
- Google Drive Management
- Inbound SSO Settings
- Managing Admins
- Domain Verification
- Printers