que: What steps have to be performed on Google Side?

[goosefraba]

Hey I set up AWS SSO with all the regular actions done on Google Workspace.

But when launching this app from the Serverless Application Repository, I have to enter the file contents for the service account credentails from Google.
This part in particular would be nice to be documented.

Eventhough I set up a service account and downloaded the keys as json. I get an authentication error in the lambda functio then.

Please help

[Parent5446]

Other than creating the account, the main other thing you need to do is enable the Admin API, and then to set up domain-wide delegation using the steps here: https://developers.google.com/admin-sdk/directory/v1/guides/delegation

When setting up delegation, here are the scopes you need to enable:

idp-scim-sync/cmd/idpscim/cmd/root.go

Lines 241 to 243 in 5eec83f

	"https://www.googleapis.com/auth/admin.directory.group.readonly",
	"https://www.googleapis.com/auth/admin.directory.group.member.readonly",
	"https://www.googleapis.com/auth/admin.directory.user.readonly",

[christiangda]

thank you @Parent5446 for your answer and @goosefraba I will create better documentation explaining it very well.

[obscurerichard]

I've had success following the steps described in https://github.com/awslabs/ssosync#google to get the Google service account set up required for this project. It can take a while (think 10-15 minutes) after setting things up on the Google side before the API is really ready to use with the service account credentials.