This set up is for both a source G Suite account and a Destination G Suite account.
This requires a Super Admin account
Migrating from Google Vault
If you are migrating from Google Vault, billing must be enabled for the Google project being used for the migration. This is necessary to avoid very low Google Vault export quota limits.
To create a service account and obtain the private key for the account
Go to cloud.google.com/console
Click Create Project
Enter a project name and click create:
When you have created your project, click on the options menu in the top left of the page, then 'API Manager', then 'Credentials'. Click on 'New credentials' and then 'Service account key'
Click on the 'hamburger' menu icon (next to "Google Cloud Platform" in the top left of the page), then 'API Manager', then 'Credentials'
Click on 'New credentials', then 'Service account key'
- Next, select 'New service account', name it anything and select 'Project' and then 'Owner' as the role from the dropdown list, finally select P12 as the key type and click 'Create'. Upon clicking 'Create', a P12 file will be downloaded; this is important for later so keep a note of where you downloaded it
Click on 'Manage service accounts' (on the right-hand side), then select your new Service Account, click on the three dots beside, and select Edit
- Add a Project name (it can be anything) and select Save.
- Click Save button as shown below.
Then click View Client ID and you'll see the Client ID and Email address in this screen. You will need the client ID to configure security within GSuite and the email address to configure CloudMigrator:
Click on the three-lines icon again, choose 'API Manager' and in the 'Overview';
- In here we need to turn on a number of API's to allow the tool to connect. These are as follows:
- Admin SDK
- Drive API
- Gmail API
- Calendar API
- Contacts API
- Tasks API (use the search bar in the API Library to find this API)
- Groups Migration API (use the search bar in the API Library to find this API)
- Google Vault API (If you are migrating from Google Vault)
- Google Cloud Storage (if you are Migrating from Google Vault)
- Click on the individual API and then click the blue Enable button. (repeat this process for all the API's needed)
Once all the APIs are enabled in the Cloud Console go to Credentials > Manage Service Account then 'View Client ID'.
This will then show the Client ID of the service account - copy the Client ID to the clipboard and launch the GSuite Admin Console
Service Account and API Propagation Time
Please bear in mind, that having created the service account and enabled the APIs, that you may encounter a propagation time of up-to two hours before they can be used. Until this step has completed API calls to G Suite will fail.
- Go to Security>Show More>Advanced Settings>Manage API client access.
Paste the Client ID in the Client Name field, add the following API scopes and click Authorize.
If 'Source Platform Migration Settings > G Suite > Email Options > Use Limited Scopes' is set to 'True' use the following scopes
If 'Destination Platform Migration Settings > G Suite > Email Options > Use Limited Scopes' is set to 'True' use the following scopes
If 'Use Limited Scopes' is set as 'False' (default) use the below scopes
Migrating from Google Vault?
If you are migrating from Google Vault, please use these API Scopes:
18. Finally, navigate to Security > API Reference > API Access and ensure that 'Enable API Access' is checked.
Service Account and Scopes Propagation Time
Similarly with the Service account and APIs, adding the Client and Scopes in the G Suite console may be subject to a propagation time of up-to two hours.
Check Connections for your G Suite platform in CloudMigrator may not be successful immediately.