Note: This document references views and actions that are only available to Echo Administrators. Google Workspace integration is managed by Admins at your root domain. Once it is set up, it is inherited by all subdomains.
This document describes how to create a Google Service Account Key so that Echo users can easily access Google Suites (Google docs) as they participate in a course. You will need to have an Echo Admin account to complete this task. Along with Super Admin rights to Google Application.
Google integration options
Echo enables two types of integration with Google:
- Automatic integration with Google Drive: Most Echo domains are automatically integrated with Google Drive, allowing users to use Google Drive documents in Echo as long as they have a Google account. This integration does not include collaborative tools.
- Google Workspace integration (covered in this article): This integration requires more setup, requires users to have a Gmail address attached to their Echo account, and enables collaborative tools.
Google Workspace Integration Enables
- Easy creation of Google Drive documents in the Student app when completing a dropbox activity. Previously, if students wanted to submit an activity as a Google Doc, they had to create the document in their Google Drive, then open the activity in Echo and search for that document to attach. Now they can create and submit all within Echo.
- PDF snapshots of Google Drive submissions. When a student submits an activity as a Google Doc, Echo creates a PDF snapshot that is available to both the student and the teacher. This way a record remains if the student makes changes to the document, or even if the Google Drive account is deactivated.
- Automatic permissions management. Google Docs makes collaboration and inline commenting easy, as long as all members have the correct permissions. With Google Workspace integration, Echo automatically gives students (including students that are in the same group assignment) and teachers the correct permissions for easy collaboration. If, for any reason, permissions are not correctly granted, users will simply ask for permission using Google Drive.
- Automatic copies of Google Drive documents when duplicating activities. Teachers can include Google Drive documents as part of activities. If a colleague wants to duplicate the activity for their own use, they can easily copy the attached Google Drive document to their Google Drive for their own use.
Google Workspace integration setup
In order to set up your Google Workspace integration:
- You must create a Google service account.
- All users must have a current Google email attached to their profile (only the admin can edit these emails in Echo).
- You must enable it in Domain Settings.
Create a service account
There are five steps to setting up your service account for Google Workspace:
- Create a project
- Enable the Google Drive API
- Create a service account for the project
- Enable API client access for the service account
- Enable Google Workspace integration on Echo
You must have a Google account to accept Google's terms of service for accessing Google Drive from within Echo. As part of the standard Google security and authentication process, Google provides this account's e-mail address to each end-user before they attempt to access Google Drive in Echo.
You can use any account that has Super Admin rights in Google. Our suggested best practice would be to create an account that is only used for authenticating access to Echo. You will need this email address and the password for the next step.
If you use your own account for this project, you run the risk of breaking the integration if your leave and your account is disabled.
Log into Google APIs
Google has a console that allows you to configure any application, such as Echo, to access Google services through their Application Programming Interfaces (APIs). Echo contains code that accesses Google Drive services, but you must enable that code to run in your Echo domain by agreeing to Google's terms of service and setting up a link between Echo and Google by creating a Google API Project.
With the account that you will be using for authentication, log in console.developers.google.com
1. Create a Project
Any Google Cloud Platform resources that you allocate and use must belong to a project. You can think of a project as the organizing entity for what you're building. A project is made up of the settings, permissions, and other metadata that describe your applications. Learn more about projects.
If you already have a project that you want to use, you can skip to Step 2. Enable the Google Drive API.
To create a project:
- Go to the Google Developers Console (https://console.developers.google.com/project) and sign in as a super administrator.
- Click Create project. If you haven't used the Developers Console before, agree to the Google Cloud Platform Terms of Service. Then, click Create a project.
- Enter a project name.
- Edit the Project ID if you want.
- Select the desired Organization and Location from the appropriate dropdown menus.
- Click Create.
2. Enable Google Drive API
In order for Echo to interface with the Google Drive API, you need to enable it.
From the API dashboard (https://console.developers.google.com/apis/dashboard) select the project you created and Click on Enable API and Services in the Dashboard
Under Google Apps APIs, click on Drive API
3. Create a service account for the project
In order for Echo to manage permissions effectively, it needs access to your Google service account
- Open the Menu in the top-left corner of the console and click IAM & Admin >Service accounts.
- Click Create Service Account, and in the popup that appears, enter a title in the Service Account Name field.
- Check the Furnish a new private key box and ensure the key type is set to JSON.
- Click Create.
- You can set any optional Service account permissions you desire, then click Continue.
- Set up any optional user access, then click Create Key.
- Select JSON under Key type in the panel that appears on the right and click Create. You'll see a message that the service account JSON file has been downloaded to your computer. You will need it later, so make a note of the location and name of this file.
- Click Done.
Open the Actions menu and click Edit.
Click Show Domain-wide delegation to expand the section and check the the Enable Domain-wide Delegation box and enter a name in the Product name for the consent screen field. (use whatever is most useful; only the system admin managing this integration will see this name).
You can click the View Client ID link to review the service account you have just crated. Copy the Client ID value. You will need this in Step 4.
4. Enable API client access for the service account
Your organization may have multiple active domains within your Google Workspace account (e.g., @studentemail.com, @teacheremail.com, @parentemail.com). If so, each of these domains need the client access you set up in these steps, and you need to repeat them for each domain.
Once Google Drive API is enable, you need to give Echo access to the service account.
In your Google Workspace domain's Admin console (https://admin.google.com), select Security from the list of controls.
- If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- If you can't see the controls, make sure you're signed in as an administrator for the domain.
In Security, click Advanced settings
Click Manage domain wide delegation.
Enter the service account's Client ID. You should have copied this in Step 3, or you can find it in the Service accounts page.
In the OAuth Scopes field, enter “https://www.googleapis.com/auth/drive”
5. Enable Google Workspace integration in Echo
Once you have a Google service account created, you can enable the Google Workspace integration:
- From the Domain Details, select Domain Settings.
- Scroll to Enable Google Workspace service account box.
- Create a Google Drive folder name. (example: echogsuite)
- Click Edit service-account key.
- Copy and paste the contents from the .json file that Google provided when you set up your service account into this field.
- Click Done.
When users open Google Drive from Echo for the first time, they may be asked to verify the access, sign into their account, indicate which account, etc. Review the possible requests pictured here.
Users' browsers must allow Google to popup windows.
- If the Google Drive fails to create or copy documents, Echo reports an error.
- If the Google Drive cannot correctly grant permissions, Echo does not report an error and users will simply ask for permission from the document author using Google Drive screens.
- If Google fails to generate a PDF snapshot, Echo attaches a TXT file to the activity in the PDF's place, alerting you of the issue.