1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Integration

Google Alert Center Integration via API

Updated

For this integration to work properly, some configuration steps must be completed on both Google Cloud Console and Google Workspace Admin Console. According to Google’s official documentation, the Alert Center API works with the service account + domain-wide delegation model, and the required OAuth scope is https://www.googleapis.com/auth/apps.alerts.  

1) Create a new project in Google Cloud

First, create a dedicated project in Google Cloud Console for this integration.
Using a separate project is recommended for easier access management and visibility.

2) Enable Google Workspace Alert Center API

Inside the created project, enable the following API:

  • Google Workspace Alert Center API

This service is exposed through alertcenter.googleapis.com.  

3) Create a Service Account

In Google Cloud Console, go to:

IAM & Admin → Service Accounts

Create a new service account.

This account will be used by the integration as the application identity.  

4) Create a JSON key for the Service Account

Open the created service account and follow these steps:

Keys → Add Key → Create New Key → JSON

This will download a JSON key file.

The file must be stored securely. Google states that the private key is only provided once and should be protected carefully.  

5) Collect the required values from the JSON file

The generated JSON file contains the following values that will be used in the integration:

  • client_email
  • private_key
  • project_id

In addition, the numeric OAuth 2 Client ID of the service account must also be noted from the service account screen.

This is important because the Admin Console authorization step requires the Client ID, not the service account email address.  

6) Decide which admin account will be used

Since the integration uses domain-wide delegation, it will operate on behalf of a Google Workspace admin account.

This admin email address will later be used in the JWT sub claim. In delegated access, the sub value represents the user being impersonated.  

7) Sign in to Google Workspace Admin Console as Super Admin

Open the following URL in your browser:

https://admin.google.com

These steps must be completed by a Google Workspace Super Admin.

Google’s official documentation states that domain-wide delegation must be granted by a super administrator.  

8) Open the API Controls screen

In Admin Console, go to:

Security → Access and data control → API controls

9) Open the Domain Wide Delegation screen

Inside API controls, open:

Manage Domain Wide Delegation

This is the official path referenced by Google for domain-wide delegation setup.  

10) Add a new authorization entry

Click:

Add new

11) Enter the Service Account Client ID

In the pop-up window:

  • Enter the numeric OAuth 2 Client ID of the service account into the Client ID field

Do not enter the service account email address here.

Google specifically requires the service account Client ID for domain-wide delegation authorization.  

12) Add the required OAuth scope

In the OAuth Scopes field, enter:

https://www.googleapis.com/auth/apps.alerts

This is the official scope required for Alert Center API access.  

13) Complete the authorization

Click:

Authorize

to finish the setup.

14) Wait for permission propagation

According to Google, domain-wide delegation usually becomes active within a few minutes, but in some cases propagation may take up to 24 hours. Because of this, initial tests may fail temporarily even if the setup is correct.  

15) Share the required information with the integration team

After the setup is completed, the following information should be shared with the integration team:

  • Service account JSON key file
  • client_email
  • numeric Client ID
  • project_id
  • authorized admin email address

16) Add the source in Logsign

After all Google-side configuration is completed, the collected values must be entered while adding the source in Logsign.

Use the fields as follows:

  • Email

Enter the authorized admin account email address from admin.google.com

This is the delegated admin email used for impersonation.

  • Private Key

Enter the service account private key

The key must be pasted without \n escape characters.

It should be formatted as a normal PEM key block.

  • Service Account Email

Enter the email address of the service account that was created in Google Cloud.

This means the final mapping in Logsign will be:

  • Email authorized admin email address
  • Private Key → service account private key without \n
  • Service Account Email → created service account email address
     
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.