OpenAI

Google Workspace - Admin-Managed Setup

Updated: 16 days ago

To connect your Google Workspace to ChatGPT using admin-managed setup, you'll first configure access in Google’s admin consoles:

  • Create a service account with read-only access to Google Drive, users, and groups.

    • This service account is strongly recommended to be created under the same Google account that is associated with your ChatGPT Workspace. If the accounts in the ChatGPT workspace have a different email domain than that used in Google Workspace, there are additional steps you have to follow to enable this connector for your users.

  • Create an admin account that the service account will act on behalf of.

Then, complete the setup in the ChatGPT admin console:

  • Upload the service account’s private key (a JSON file from Google)

  • Specify the admin account (no credentials required).

  • Select which files to sync and choose the users who will have access to the connection.

This guide walks through each of these 6 steps.

Setting up a Service Account

  1. Navigate to console.cloud.google.com.

  2. Click on the projects dropdown.ImageEnsure you are logged into the same Google workspace as the one associated with your ChatGPT workspace (if you do not have a Google workspace associated with your ChatGPT workspace and have different emails between the two, you will have to follow additional steps, otherwise your users may not be able to use Google Drive synced connectors).

  3. Choose New Project

    Google Cloud Select a resource dialog with dolores-lab.com organization selected

  4. Input a Project Name

    Google Cloud New Project form with organization dolores-lab.com selected and Create button available

  5. Create the project

    Google Cloud New Project form with ChatGPT Google Connector entered under the dolores-lab.com organization

  6. Wait until the project has been created, then click on Select Project

    Google Cloud notifications confirm creation of the ChatGPT Google Connector project for dolores-lab.com

  7. Click on APIs & Services

    Image

  8. Click on Library

    Image

  9. We’re now going to add three APIs, using the search box to find them

    Google Cloud API Library page with the ChatGPT Google Connector project selected

  10. Search for and choose Google Drive API

    Google Cloud API Library search results for Google Drive API in the ChatGPT Google Connector project

  11. Click Enable

    Google Cloud Console Google Drive API page with the Enable button for the ChatGPT Google Connector project

  12. Click on Library

    Google Drive API details page with the API enabled and Create Credentials available

  13. Search for Google Drive Activity

    Google Cloud API Library open for the ChatGPT Google Connector project

  14. Choose Google Drive Activity API

    Google Cloud API Library search results for Google Drive Activity API

  15. Click Enable

    Image

  16. Click on Library

    Google Cloud Console Drive Activity API details page with the API enabled and Create credentials available

  17. Search for Admin SDK API

    Google Cloud API Library page for the ChatGPT Google Connector project

  18. Choose Admin SDK API

    Google Cloud API Library search results for Admin SDK API with Admin SDK API listed

  19. Click Enable

    Google Cloud Admin SDK API page with the Enable button for the ChatGPT Google Connector project

  20. Click on Credentials

    Google Cloud Admin SDK API details page with the API enabled and Create credentials button available

  21. Click on Create Credentials

    Google Cloud APIs & Services Credentials page with Configure consent screen button

  22. Click on Service account

    Google Cloud Credentials page with Create credentials menu open for API key, OAuth client ID, or service account

  23. Provide a name and description of your choice for this service account

    Google Cloud Create service account page with Service Accounts selected and service account details fields

  24. (Optional) You can assign a role - this is not required by ChatGPT.

    Google Cloud Create service account page with optional IAM role step and Service account created confirmation

  25. (Optional) You can grant access to the service account - this is not required by ChatGPT.

    Google Cloud Create service account step 3 with Done button and Service account created confirmation

  26. Click Done.

    Create service account step 3 in Google Cloud with Done button and Service account created confirmation

  27. Click on the service account which has now been created.

    Google Cloud Credentials page listing the newly created ChatGPT Google Connector service account

  28. Click on keys.

    Google Cloud IAM service account details for ChatGPT Google Connector, enabled after creation

  29. Click on Add Key

    Image

  30. Click on Create new key

    Google Cloud service account Keys tab with Add key menu open to create or upload a key

  31. Keep the default JSON key type and click Create
    If you see an error message that says “Service account key creation is disabled” follow these steps to enable creation.

    Create private key dialog for ChatGPT Google Connector with JSON key type selected

  32. Click Close. The key has now been downloaded to your computer. You will later upload this to the ChatGPT admin console.

    Google Cloud service account Keys tab with confirmation that a private key JSON file was saved to the computer

  33. Click on details

    Google Cloud service account Keys tab for ChatGPT Google Connector with Add Key button

  34. Note that the Unique ID. This will be needed in Step 42.

    Google Cloud service account details for ChatGPT Google Connector with status Enabled

  35. Expand Advanced settings

    Google Cloud service account details for ChatGPT Google Connector with the account enabled

  36. Scroll down and click on View Google Workspace Admin Console. The Google Workspace console will open in a new tab.

    Image

  37. Click Show more

    Google Workspace Admin console home page for dolores-lab.com

  38. Expand the Security section

    Image

  39. Expand the Access and data controls section

    Google Workspace Admin console home with Security section expanded in the left navigation

  40. Click on the API controls section

    Google Workspace Admin console home with Security > Access and data control expanded in the sidebar

  41. Click on Manage Domain Wide Delegation

    Google Admin console API controls page under Security > Access and data control

  42. Click on Add new

    Google Admin Domain-wide Delegation page with API clients list and Add new option

  43. Use the Unique ID previously noted as the value for this Client ID

    Google Admin Domain-wide Delegation dialog for adding a new client ID and OAuth scopes

  44. For the OAuth scopes, refer to the following comma de-limited auth scopes values that you'll need to copy and paste:

https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user.alias.readonly, https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/drive.metadata.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email
ScopeReasoning
admin.directory.group.readonlyenforce group-based permissions
admin.directory.group.member.readonlyenforce group-based permissions
admin.directory.user.alias.readonlyhandle cases where the user is granted permission via an alias
drive.activity.readonlyto be notified when changes occur to files
drive.metadata.readonlysync file content and associated metadata (ex. last modified date)
drive.readonlysync file content and associated metadata (ex. last modified date)
userinfo.profiledetermine the users for whom we’re syncing files
userinfo.emaildetermine the users for whom we’re syncing files
Google Admin Domain-wide Delegation dialog for adding a new client ID and OAuth scopes

45. Click Authorize

Image

46. Success!

Image

Setting up the Admin Account

  1. Expand Directory

    Google Admin Domain-wide Delegation page with a ChatGPT API client and scopes listed

  2. Click on Users

    Google Admin domain-wide delegation page listing a ChatGPT Google Connector API client and scopes
    Google Admin console Users page listing workspace accounts for setup and management

  3. Provide a first name, last name, and primary email address of your choosing

    Google Admin console Add new user form for creating a Workspace user at dolores-lab.com

  4. Click Add new user

    Google Admin console Add new user form filled for a ChatGPT Connector account

  5. (Optional) Record these credentials. ChatGPT does not need these credentials.

    Google Admin Console New user added page for ChatGPT Connector with Copy Password and Done actions

  6. Click Done.

    Google Admin console Copy password dialog for a newly created user account

  7. Click on the account you just created. If it does not appear in the list, refresh the page or clear your cache and cookies and try again.

    Google Admin console Users page listing accounts including ChatGPT Connector

  8. Click on assign roles.

    Google Admin user details page for the ChatGPT Connector service account

  9. Toggle on the Groups Reader, User Management Admin, and Storage Admin roles.

    Google Admin ChatGPT Connector user page with Admin roles and privileges open and no roles assigned

  10. Scroll down and click Save. The admin account has now been successfully created and configured.

Image

Completing setup on the ChatGPT Admin Console

  1. Navigate to ChatGPT and click on the profile icon on the upper right corner of the page.

    Image

  2. Click on Manage workspace

    ChatGPT workspace menu with Manage workspace selected under the organization switcher

  3. Click on Connections and then under ‘Synced connectors’Enable Sync

    Connectors page with Google Drive sync prompt and Enable Sync button highlighted

  4. Ensure Admin-managed is selected and click on Next

    Google Drive connection setup with Admin-managed setup selected over Self-service setup

  5. Type in a display name. We recommend using the name of your Google Workspace.
    Please note that we currently do not support changing the name of your connection.

    Google Workspace connector setup dialog with display name Dolores Labs entered

  6. Click Save Draft and Continue

  7. Click Upload key. Choose the JSON file, which is the key you downloaded as part of setting up the service account above. Ensure this key is accurate

    Google Workspace connection setup step prompting upload of a service account key and admin email address

  8. Type in the admin email address. This is the admin account you created previously.

    Image

  9. Click Save.

    ChatGPT Connections credentials dialog with service account key and Google Workspace admin email entered

  10. Choose whether you want the files in all of your users’ My Drives to be included.

    ChatGPT Connections modal for User files with Include user My Drives enabled at step 2 of 5

  11. Click Next

    ChatGPT admin Connections modal for User files with Include user My Drives enabled in step 2 of 5

  12. Choose how to manage shared drives. We support the following three scenarios:

    1. If you want to include all shared drives, then choose Include by default and do not add shared drive IDs to be excluded

    2. If you want to include most shared drives, then choose Include by default and add the IDs for the shared drives you want excluded

    3. If you want to exclude most shared drives, then choose Exclude by default and add the IDs for the shared drives you want included

    ChatGPT admin Shared drives setup with Include by default selected and an Excluded Shared drives field

  13. To look up the ID for a shared drive, navigate to it in a web browser. The last portion of the URL is the shared drive ID.
    In the following example, it is `0ADvY03uUbEcQUk9PVA`'

    Google Drive shared drive with Manage members visible for Example Shared Drive

  14. Click Next

    ChatGPT admin Connections modal for Shared drives with Include by default selected at step 3 of 5

  15. Choose who should have access to the Google Drive connection. You can either select Admins of the ChatGPT workspace only, or enable it for everyone. If enabled for everyone, new users added to the workspace will automatically be included.

    Google Drive connector permission set to Admins only for workspace members

  16. Click Start syncing

    Image

  17. Your Google Drive connection has now been successfully created!
    Please note that, while it will start syncing immediately, it can take hours to days to complete depending on how many files were included based on your settings.
    Once files added/edited in the past 30 days have finished syncing, the connector will become available to the users you enabled it for.

    Image

Enabling service account key creation

If you receive the following error, you will need to enable service account creation for this specific project:

> The organization policy constraint ‘iam.disableServiceAccountKeyCreation’ is enforced on your organization.

Google Cloud service account Keys tab with error that service account key creation is disabled

  1. Open up a new tab and navigate to console.cloud.google.com. Make sure the selected project is the one you’ve already selected.
    Click on the menu icon in the upper left corner.

    Google Cloud Console welcome page for the ChatGPT Google Connector project

  2. Hover over IAM & Admin

    Google Cloud Console navigation with IAM & Admin open and Organization Policies selected

  3. Click on Organizational Policies

    Google Cloud Console IAM & Admin menu opened to Organization Policies

  4. Search for iam.disableServiceAccountKeyCreation

    Google Cloud organization policies for the ChatGPT Google Connector project

  5. Click on the result for constraints/iam.disableServiceAccountKeyCreation

    Image

  6. Click on the … for the row with the ID of iam.disableServiceAccountKeyCreation

    Organization policies filtered to Disable service account key creation for the ChatGPT Google Connector project

  7. Click on Edit policy. If Edit policy is disabled, you’ll need to become an Organization Policy Administrator.

    Google Cloud Organization Policies filtered to Disable service account key creation with Edit policy menu open

  8. Click on Override parent’s policy

    Image

  9. Click on Add a rule

    Edit policy page for Disable service account key creation with Override parent's policy selected

  10. Click on Set Policy

    Google Cloud Edit policy page with Override parent's policy selected and enforcement set to Off

  11. You can now create a service account key. This enablement may take several minutes to take effect.

Google Cloud policy details with Disable service account key creation set to Not enforced

Becoming an Organization Policy Administrator

  1. Navigate to console.cloud.google.com and click on the project/organization selector

    Google Cloud welcome page for the ChatGPT Google Connector project

  2. Click on your organization

    Image

  3. Click on the menu icon in the upper-left corner

    Image

  4. Hover over IAM & Admin

    Google Cloud console navigation menu open with Google Cloud Setup pinned

  5. Click on IAM

    Image

  6. Click on the pencil for your account

    Google Cloud IAM page for dolores-lab.com showing organization permissions and the Grant Access action

  7. Click on Add Another Role

    Google Cloud IAM dialog assigning the Organization Administrator role for dolores-lab.com

  8. Search for Organization Policy Administrator

    Google Cloud IAM edit access dialog assigning the Organization Administrator role to a user

  9. Click on Organization Policy Administrator

    Google Cloud IAM role picker with Organization Policy Administrator selected while editing access

  10. Click Save

    Google Cloud IAM access editor assigning Organization Administrator and Organization Policy Administrator roles

  11. Your account now has permission to enable service account key creation. This may take several minutes to take effect.

Using a Google Email Alias to Maintain Different Email Accounts for Google Workspace and ChatGPT

If you're an admin connecting Google Workspace to your ChatGPT workspace using the admin-managed setup for Google Drive synced connectors, and your organization uses different email domains for ChatGPT and Google Workspace, you’ll need to take additional steps to ensure users can successfully access Google Drive synced connectors.

Recommendation: Whenever possible, use the same primary email addresses for both Google Workspace and ChatGPT accounts.

If this isn’t feasible, follow the instructions below to configure a Google Workspace email alias that matches the ChatGPT sign-in email.

Steps to Add a Google Workspace Alias

Follow these steps in the Google Admin Console to ensure each user's ChatGPT email can be linked to their Google Workspace account:

  1. Go to the Admin Console. Navigate to: Directory > Users

Image

2. Select a User, then “ADD ALTERNATIVE EMAILS”.

Google Admin user details page with Add alternate emails action highlighted

3. Add an Alternative Email. Ensure it corresponds to the user’s ChatGPT account.

Google Workspace Admin alternate email alias form with alias-testing-alt-email on bytesheaven.com

4. Select Save

Known Limitations

Personal email addresses are not supported

Users who register for ChatGPT using personal addresses (e.g., example@gmail.com) cannot connect to Google Workspace. This setup is unsupported and presents a security risk, as it enables access to internal data from outside the organization.

Gmail "+" aliases are not supported

Gmail allows users to create aliases by appending a "+" to their address (e.g., user+alias@gmail.com). This type of aliasing does not work with Google Drive synced connectors. The alias must be explicitly configured in Google Workspace.

Common Error Message

If email addresses are not properly linked, users may encounter this message: "We were unable to connect your account to Google Drive. Click to learn more."

If users receive this message, review the steps in this document and ensure they are followed accurately. If additional assistance is needed, please contact our support team.

Was this article helpful?