Notes for Administrators on Google Vault Integration

New
  • Published on Feb 27, 2026
  • 1 minute(s) read
Prev Next

Overview

This document provides administrators with step-by-step instructions to create a Google Workspace service account and Google Vault API key for Reveal Hold automated preservations.

1. Create a Google Cloud Project

  1. Go to https://console.cloud.google.com.

  2. Click the New Project dropdown.

  3. Enter your project name, organization, and location.

  4. Click Create.

2. Enable Required APIs

Within the new project:

  1. Go to Menu > APIs & Services > Library.

  2. Enable the following:

    • Gmail API

    • Google Drive API

    • Admin SDK

    • Google Vault API

3. Create Service Account

  1. Go to Menu > APIs & Services > Credentials.

  2. Click Create Credentials then go to Service Account.

  3. Enter your Name and ID and click on Create & Continue.

  4. Assign roles:

    1. Project > Viewer

    2. Storage Object Viewer

  5. Finish and open Manage Service Accounts.

  6. Click on Add Key.

  7. Create the new JSON key and store it securely.

4. Collect Client ID

Go to Service account > Details > Copy the Unique ID (Client ID).

5. Delegate Domain-Wide Authority

In Google Admin Console:

  1. Go to Security → API Controls → Manage Domain Wide Delegation.

  2. Click Add new.

  3. Enter Client ID.

  4. Add OAuth scopes (comma-separated):

    • https://www.googleapis.com/auth/admin.directory.group,

      https://www.googleapis.com/auth/admin.directory.user,

      https://www.googleapis.com/auth/admin.reports.audit.readonly,

      https://www.googleapis.com/auth/admin.reports.usage.readonly,

      https://www.googleapis.com/auth/drive.readonly,

      https://www.googleapis.com/auth/gmail.readonly,

      https://www.googleapis.com/auth/userinfo.email,

      https://www.googleapis.com/auth/userinfo.profile,

      https://www.googleapis.com/auth/ediscovery,

      https://www.googleapis.com/auth/devstorage.read_only

6. Assign Roles to Non-Super Admin Accounts

If not using a Super Admin:

  1. Create a user (e.g., onna-service@domain.com).

  2. In the Admin Console click on Roles > Create new role.

  3. Assign these Vault privileges:

    • Manage Matters

    • Manage Holds

    • Manage Exports

    • Manage Searches

  4. Under Admin API Privileges click on Reports.

  5. Assign users to the new role.

  6. Assign the following built-in roles:

    • User Management Admin

    • Services Admin

    • Groups Reader

7. Create Google Vault API Key

Google API Keys are created in Google Cloud. To do so, follow these instructions:

  1. Go to APIs & Services > Credentials.

  2. Click on Create Credentials > API Key.

  3. Copy the generated key.

  4. Restrict API key to Vault API only via API restrictions (optional but recommended.)

  5. Provide this API key securely to Reveal Hold integration setup.

8. Reveal Hold Integration Notes

Use the Service Account details and Vault API key during Reveal Hold Google Vault connection setup.

Related articles
Footer Design