This is a guide to onboard a school on to the GC Service.Who can access those websites and set up the Service Account?
Only the school’s IT Admin user can set up those accounts and utilize the right permissions using the school’s email’s Suite domain account.
GC Service is a background data pipeline service between Google Classroom and Firefly Systems. The GC uses service-to-service authentication, to authenticate with Google Classroom using Google Service Accounts and Google OAuth.
School IT administrators, will need to follow the two steps as listed below.
Setting up Google Workspace accounts
- IT School Administrators will need to set up Google Workspace accounts. This is required for using the Google Classroom system. This is a prerequisite step for Step 2 below.
Setting up Google Service accounts
- IT school Administrators will need to create Google Service Accounts using their Google Workspace accounts.
How to Set up Google Service Accounts
Who can access these websites and set up the Service Account?
Only the school’s IT Admin user can set up those accounts and utilise the right permissions using the school’s email domain account.
The IT Admin needs to access https://console.cloud.google.com/ with their Google Workspace domain email.
Click on the Navigation Menu as shown in the image to the right.
Click on the IAM & Admin then select Service Accounts
In the Service Accounts panel, click on CREATE SERVICE ACCOUNT
In Create Service Account panel, the user will need to:
- CREATE Service Account Details
- Enter a display name for the account
- The Service account ID will be created from the display name
- Optionally enter a description for the account
- Grant this service account access to the project (Optional)
- Click next on this step
- Grant users’ access to this service account (Optional)
- Click next on this step
The service account will appear in the Service accounts table. We now need to edit the Service Account.
The user needs to specify Service Account details.
- Expand SHOW DOMAIN-WIDE DELEGATION and click Enable G Suite Domain-wide Delegation
- In the Keys section, click ADD KEY
- Create new key then choose JSON and click Create. This will generate a JSON file that needs to be shared with Firefly.
- Click SAVE
In the Navigations Menu, go to IAM
You should be able to see your email as a member. You will need to edit permissions and assign the role of Service Account User and Owner. This is also very important.
If the APIs and Services are not enabled we need to enable them.
To do this click into the menu in the top left and select APIs and Services, then Dashboard and click Enable APIs and Services
Search for Google Classroom API and click enable
The JSON file has some very important information that we can use to specify permissions for Google Classroom.
One of the fields is the Client_id. We will use Client_id in the next steps.
Here is an example of the JSON file:
"private_key": "-----BEGIN PRIVATE KEY-----\n SOME KEY PRIVATE KEY-----\n",
"client_email": "[email protected]",
"auth_uri": " ",
"token_uri": " ",
"auth_provider_x509_cert_url": " ",
"client_x509_cert_url": " "
We need to use the ClientID and specify permissions.
For that please go to https://admin.google.com/
Click on SECURITY and select API Controls
Click on Manage Domain-Wide Delegation
This is the section where we control permissions for the Google classroom. You will need to Authorise your ClientID (you can find it in the JSON file).
Then input the following scopes (comma-delimited) in the “OAuth Scopes” text area and then click AUTHORISE
Once the above steps have been completed the json file needs to be sent to Firefly along with the email address from a super admin account.
We would recommend creating a new account for this integration but it must have the super admin role.
(Note this email is different from the one on the service account)