What is Google Drive?
Google Drive provides cloud storage for files, where users can access, share, and sync files.
Why Should You Use the Google Drive Connector?
The Google Drive connector provides visibility into cloud storage assets in your environment. You can use this visibility to:
ensure assets are managed per your data loss policies
find vulnerabilities quickly and remediate
How Does This Connector Work?
Lucidum executes read-only requests to the Google Drive REST API and ingests only meta-data about Google Drive assets. Lucidum does not retrieve any data stored on your assets.
Configuring the Connector in Lucidum
JSON Key File
Upload a JSON file that includes the API key for the Google Drive API.
iEmail of an admin account. For example, the email of Google Workspace (G-Suite) admin.
Creating a Service Account, API Key, and JSON File for Lucidum
To create an account for Lucidum to access Google Drive:
Go to the Google Cloud Console and select the project that you want to create the service account in. Or you can create a new project as needed by clicking “NEW PROJECT” at the top:
Enable Cloud APIs
Go to APIs & Services -> Dashboard.
Verify the following APIs are listed in the dashboard. If an API does not appear in the list, click ENABLE APIS AND SERVICES at the top of the page, search for it and click Enable.
Admin SDK API - Required for the basic data fetch.
Cloud Identity API - Required only to fetch Cloud Identity devices.
Drive Activity API, Google Drive API - Required to fetch Google Drive data.
Create a Service Account for Lucidum data connector
Go to IAM & Admin → Service Accounts → CREATE SERVICE ACCOUNT
Fill in the details for Step 1 and click DONE (Step 2 and 3 are optional):
The service account does not require any roles if permissions are asked:
Select the newly created service account, and click Manage details under the Action:
On the “DETAILS” tab, click Show Domain-Wide Delegation:
Select Enable Google Workspace Domain-wide Delegation and click SAVE
On the same “DETAILS” page, copy the “Unique ID”. This is the Client ID to be used later.
Create JSON key for the new service account
Go to KEYS tab → ADD KEY → Select Key type as JSON → Click CREATE
The JSON key will be downloaded automatically. Save this JSON key as it will be used in the Lucidum connector.
Creating the Delegate Email
Go to Google Workspace (https://workspace.google.com/) and click on Admin console. You must be a Workspace Admin to access the console
Under the Google Admin console, go to Security → API Controls → MANAGE DOMAIN WIDE DELEGATION: https://admin.google.com/ac/owl/domainwidedelegation?hl=en
Click “Add new”, specify the Client ID of the service account from the previous section, which can be found from the downloaded JSON file as well. In the OAuth scopes section, specify the required scopes for different Google services, and click “AUTHORIZE”, for example,
The required scopes are listed below:CODE
Provide your Google Workspace’s admin email address to Lucidum (generally, this is the email address used to log into the Google Workspace Admin console in Steps 1-3. It should be different from the service account email address). The service account will then access the Google services by impersonating this user account.
For more details, see https://developers.google.com/identity/protocols/oauth2/service-account#python
The user you create for Lucidum requires the following scopes:
API for Google Drive: https://developers.google.com/drive/api/guides/about-sdk
API for Google Drive Activity: https://developers.google.com/drive/activity/v2