Purpose: Configure a Google Cloud service account with domain-wide delegation for Swif to upload company‑owned devices into Google Workspace Device Management, enabling daily inventory sync for compliance reporting.
Overview
This guide walks Google Workspace super admins and Swif org admins through creating a Google Cloud service account, enabling required APIs, granting domain-wide delegation, and providing Swif with the credentials needed to programmatically upload company‑owned devices. The integration is designed for compliance use cases similar to Vanta/Drata device attestations and supports idempotent uploads.
What this integration does:
Allows Swif backend to call Google Admin/Cloud Identity device endpoints using a service account with domain-wide delegation.
Uploads devices (e.g., with serial number) into Google Workspace > Mobile & endpoints > Company owned devices.
Per Google behavior, owner assignment and overwrites are not supported at upload time; existing serials may return HTTP 409 (treated as success).
Prerequisites
Google Workspace Super Admin account (to grant domain-wide delegation and Admin API scopes).
Google Cloud project where the service account will live (billing not typically required for Admin SDK/Cloud Identity APIs).
Swif org admin access to Settings > Integrations to upload the key and delegated admin email.
Step 1 — Find or Create a Google Cloud service account
In Google Cloud Console, open IAM & Admin > Service Accounts:
Look for the email got by BE for private project.
If it doesn't exist, click Create Service Account.
Name it clearly (for example, "Swif Device Sync SA"). Optionally add a description referencing your Swif organization.
On the "Grant this service account access" step, you can skip roles for now (the service will act via domain-wide delegation against Admin APIs).
Best practice: Create a dedicated project first just for Swif integrations to keep audit trails and keys isolated.
Step 2 — Create and download a JSON key
In the Service Accounts list, open the newly created account, go to Keys > Add key > Create new key > JSON.
Download and store the JSON file securely. You will upload this file in Swif later as serviceAccountKeyJson.json.
Treat the JSON as a secret. Rotate if exposed. Limit who can access it.
Step 3 — Enable required Google APIs
From Google Cloud Console > APIs & Services > Library, enable:
Admin SDK API (admin.googleapis.com) — for Admin Directory and device operations.
Cloud Identity API (cloudidentity.googleapis.com) — certain device-related resources may require this.
Step 4 — Grant domain‑wide delegation to the service account
Open the service account details in Google Cloud. In the "Details" tab, edit and check "Enable Google Workspace Domain-wide Delegation". Save. Note the Client ID shown on the page.
In Google Admin Console (admin.google.com), go to Security > Access and data control > API controls > Domain-wide delegation > Manage domain-wide delegation.
Click Add new and enter the Client ID from the service account.
Add the following OAuth scopes (comma-separated):
Scope notes:
cloudidentity.googleapis.com for provisioning and managing identity resources.
admin.directory.device.readwrite covers broad device directory write access required for uploads.
admin.directory.device.mobile and admin.directory.device.chromeos are included to ensure compatibility across Google’s device resources and SKUs.
Step 5 — Choose a Google Workspace Admin (impersonation) account
Swif will impersonate a Google Workspace Admin user when performing API calls via the service account. Select or create an Admin service user and record its primary email as delegatedAdminEmail for the Swif configuration (Step 6).
The delegated admin must retain Admin privileges to upload devices; losing them will break the integration. The admin email here is just to use to call Step 4's Google Cloud APIs to upload devices. Swif doesn't have permission to operate on your Google Workspace.
Step 6 — Configure the integration in Swif
In Swif, navigate to Settings > Integrations and select "Google Workspace – Device Inventory" (or "Google Workspace Device Sync").
Upload the JSON key file as serviceAccountKeyJson.
Enter the delegatedAdminEmail (the Super Admin to impersonate).
Confirm the OAuth scopes displayed match the list in Step 4 (they may be read-only UI). Save the configuration.
After saving, run "Sync now" to verify connectivity. The history panel should display counts for attempted, succeeded, conflicted (409), and failed uploads.
Where devices appear in Google Admin
Google Admin Console > Menu > Devices > Mobile & endpoints > Company owned devices.
Google does not allow overwriting existing uploaded records nor assigning owners during upload. Duplicate serials typically return HTTP 409; Swif treats these as idempotent success.
Troubleshooting
Missing/invalid JSON key: Re-upload a valid service account JSON and confirm the key is active (not disabled) in Google Cloud.
Insufficient permissions or not a Super Admin: Verify the delegatedAdminEmail is a current Super Admin and domain‑wide delegation is configured with the scopes in Step 4.
APIs not enabled: Ensure Admin SDK API and Cloud Identity API are enabled in the service account’s project.
Unsupported Google SKU: Some SKUs may not expose device upload features. Confirm your Workspace/Cloud Identity edition supports company‑owned device features.
Operational runbook
Action | How to perform | Expected result |
Rotate service account key |
| Swif continues to sync; old key no longer valid. |
Change delegated admin |
| API calls impersonate the new Google Workspace Admin successfully. |
Validate sync health |
| Counts populate; 409 conflicts acceptable for already-uploaded serials. |