top of page
Search

Pulling Google Workspace Logs via API

  • 28 minutes ago
  • 4 min read
Let me be honest upfront: this setup looks scary the first time you see it.

Google makes you jump back and forth between Google Cloud Console and Google Workspace Admin, and it feels like you’re doing something wrong the entire time. You’re not. That’s just how Google designed it.


Once you understand the full flow, everything suddenly clicks.


This walkthrough assumes:

  • You are a Google Workspace Super Admin

  • You want to collect audit / activity logs using the Admin SDK – Reports API


------------------------------------------------------------------------------------------------------------

Big picture first (so you don’t get lost)

You will work in two places:

  1. Google Cloud Console

    • Create a project

    • Enable APIs

    • Create a service account

  2. Google Workspace Admin Console

    • Trust that service account using domain-wide delegation


Google Workspace itself does not have service accounts. That’s why Google Cloud is involved at all. We’re basically borrowing Google Cloud’s identity system to talk to Workspace.

-----------------------------------------------------------------------------------------------------------


Step 1: Create a Google Cloud Project (same org as Workspace)

  1. Click the project dropdown in the top bar

  2. Select New Project

  3. Set:

    • Project name: workspace-log-collection

    • Organization: must be the same org as your Workspace tenant

  4. Click Create

That’s it.

Important thing to understand: you are not deploying servers, VMs, or storage. This project is just a container to hold APIs and a service account.



Step 2: Enable the required APIs (this is mandatory)

Google locks everything by default, so we have to explicitly enable what we need.

Inside your new project:

  1. Go to APIs & Services → Library

  2. Search for and enable:

    • Admin SDK API (this is the key one)


Optional (only if you plan to query these later):

  • Google Drive API

  • Gmail API

  • Calendar API

For audit and activity logs, Admin SDK alone is enough.

If this API is not enabled, your script will fail even if every permission looks perfect.



Step 3: Configure OAuth Consent Screen (yes, even for service accounts)

This step confuses almost everyone.

Even though we’re using a service account, Google still requires an OAuth consent screen to exist.

  1. Go to APIs & Services → OAuth consent screen

  2. Choose Internal

    • You only see this option because the project is under a Workspace org

  3. Fill in the basics:

    • App name: Workspace Log Collector

    • User support email: your admin email

    • Developer contact email: your admin email

  4. Click Save and Continue

  5. On the Scopes page → just click Save and Continue

  6. Finish

You do not need to publish the app externally.

Think of this as telling Google: “Yes, this project is allowed to request Workspace APIs.”



Step 4: Create the Service Account

Now we create the identity that will actually pull logs.

  1. Go to IAM & Admin → Service Accounts

  2. Click Create Service Account

  3. Set:

    • Name: workspace-log-reader

  4. Click Create and Continue

  5. Skip role assignment (no GCP roles required)

  6. Click Done

At this point, the service account exists—but it can’t do anything yet.


Step 5: Enable Domain-Wide Delegation (critical step)

This is where most people miss a checkbox and everything breaks.

  1. Click the service account you just created

  2. Open the Details tab

  3. Click Show domain-wide delegation

  4. Check Enable Google Workspace Domain-wide Delegation

  5. Save


Now copy the Client ID. You’ll need it immediately.

This setting allows the service account to act on behalf of users in your domain—but only for scopes you explicitly allow.



Step 6: Trust the Service Account in Google Workspace

Now we jump back to Workspace.

  1. Go to Google Admin Console 👉 https://admin.google.com

  2. Navigate to: Security → API controls → Domain-wide delegation

  3. Click Add new

  4. Enter:

    • Client ID: (from the service account)

    • OAuth scopes:

  1. Click Authorize


This is the trust handshake between Workspace and Google Cloud. Without this step, every API call will be denied.


Step 7: Create and download a Service Account key

You’ll need credentials for your script or tool.

  1. Go back to Google Cloud Console → Service Accounts

  2. Select your service account

  3. Open Keys → Add key → Create new key

  4. Choose JSON

  5. Download the file

⚠️ This JSON file is effectively a password. Store it securely.


Step 8: Using the Service Account to pull logs

When you actually query the Admin SDK API:

  • Authenticate using the JSON key

  • Enable domain-wide delegation

  • Impersonate a Workspace admin user (very important)


Example conceptually:

Logs belong to the domain, not the service account, which is why impersonation is required.


-----------------------------------------------------------------------------------------------------------

Why investigators like this method

Once this is set up, you can:

  • Pull all Workspace logs in JSON

  • Avoid UI export limits

  • Build repeatable, defensible evidence collection

  • Feed logs directly into SIEMs, timelines, or DFIR tooling

-----------------------------------------------------------------------------------------------------------


Final thought

Yes, the setup feels painful the first time.

But once it’s done, you’ve essentially built a forensic-grade log pipeline for Google Workspace—and that’s incredibly powerful during incident response.

After the first run, most analysts say the same thing:

“Oh… that actually wasn’t that bad.”

------------------------------------------------------------Dean----------------------------------------


 
 
 

Comments

bottom of page