This article explains how to create a service account in Google and give it the required permissions to perform the migration. Creating a Google account that has access to all data is a two-step process:

  1. create a service account; then,
  2. give the service account the necessary permissions.

1. Create a service account

Follow this procedure to create the service account used by Cloudiway to migrate Google Apps accounts.

Note: If you’re going to use Cloudiway Identity Management, you need the AdminSDK,Contacts API and Google+ API (AdminSDK and Google+ API are not necessary for migration only).

    • Next, Click on Credentials
    • Click On New Credentials and select Service Account keyEnable APIs
    • Create a New Service Account with the name of you choice
    • Select P12 Key type and click on CreateEnable APIs Add Credentials 2
    • Click on Manage Service accounts

Enable APIs

    • In the Options column of you service account, click on Edit

Enable APIs

    • Check Enable Google Apps Domain-Wide Delegation
    • If Google Apps ask you, Enter a Product Name shown to users and click on Save

Enable APIs

    • Else, click directly on Save

Enable APIs

    • Click, in the Options column in the View Client ID link and write down the service account email Address and client ID Enable APIs

Enable APIs

2. Set Permissions to the service account

  • Go to your Google Apps domain’s control panel: https://admin.google.com
  • Click on “Security”
  • Click on “Advanced Settings”
  • Click on “Manage API Client Access”

Manage Google Feeds for migration

  • In “Client Name” field, enter the client Id
  • In “One or More API Scopes” field, enter the followings scopes:
    https://apps-apis.google.com/a/feeds/calendar/resource/#readonly,
    https://apps-apis.google.com/a/feeds/user/#readonly,
    https://mail.google.com/,
    https://www.google.com/calendar/feeds/,
    https://www.googleapis.com/auth/calendar,
    https://www.googleapis.com/auth/drive,
    https://www.google.com/m8/feeds/,
    https://www.googleapis.com/auth/tasks,
    https://apps-apis.google.com/a/feeds/migration/,
  • If you are migrating mails to Google, add these feeds:
    https://www.googleapis.com/auth/gmail.labels,
    https://www.googleapis.com/auth/gmail.insert,
  • If you are migrating the Google sites, also add this feed:
    https://sites.google.com/feeds/,
  • If you are using Cloudiway Identity Management, add these feeds:
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/admin.directory.group,
    https://www.googleapis.com/auth/admin.directory.orgunit,
    https://www.googleapis.com/auth/admin.directory.userschema,
    https://apps-apis.google.com/a/feeds/user/,
    https://apps-apis.google.com/a/feeds/groups/,
    https://apps-apis.google.com/a/feeds/policies/,
    https://www.google.com/m8/feeds/,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://apps-apis.google.com/a/feeds/alias/

WARNING : slashes (“/”) at the end of the scopes are important, please follow exactly the above string ! Some of them require an ending “/”, others do not allow ending “/” !!! Each scope must be seperated by a comma ‘,’ WARNING : If you add another scope later, existing scopes will be removed. You need to add the whole list at the same time.