> ## Documentation Index
> Fetch the complete documentation index at: https://explore.airia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Drive (Service account)

This guide helps you securely connect your Google Drive to Airia using a Google Service Account. This method supports both your personal My Drive and Shared Drives across personal Gmail and Google Workspace accounts.

## Prerequisites

Before you begin, ensure you have:

* An active Google Cloud Project.
* A Google account with permissions to create service accounts and enable APIs in Google Cloud.
* If using Domain-Wide Delegation (DWD) for Google Workspace: Access to your Google Workspace Admin Console with super admin privileges.

## 1. Set Up Your Google Cloud Project

First, create or select a project in the Google Cloud Console.

1. Go to the [Google Cloud Console](https://console.cloud.google.com/).
2. At the top of the page, click the project dropdown.
3. Select an existing project or click **New Project** to create a new one.
   * If creating new, enter a descriptive name (e.g., `Airia Drive Connector`).
   * Click **Create**.

## 2. Enable the Google Drive API

Next, enable the Google Drive API for your chosen project.

1. Inside your Google Cloud project, navigate to **APIs & Services** > **Library**.
2. In the search bar, type `Google Drive API`.
3. Click on the search result, then click **Enable**.

## 3. Create a Google Service Account

A service account allows Airia to securely access your Google Drive without using your personal credentials.

1. In the Google Cloud Console, go to **IAM & Admin** > **Service Accounts**.
2. Click **+ Create Service Account**.
3. Enter a **Service account name** (e.g., `airia-drive-connector`). The Service account ID will auto-fill.
4. Click **Create and Continue**.
5. For the **Grant this service account access to project** step, assign a suitable role. For Google Drive access, `Editor` is often sufficient, or you can create a custom role with specific Drive permissions.
6. Click **Done**.
7. Click on the service account you just created in the list.
8. Go to the **Keys** tab.
9. Click **Add Key** > **Create new key** > **JSON**.
10. A `.json` file containing your service account credentials (including `client_email`, `private_key`, `project_id`, etc.) will be downloaded. **Save this file securely**; you will need to upload its content to Airia.

    > ⚠️ **Warning**: This JSON key contains sensitive information. Keep it confidential and secure, and do not share it publicly.

## 4. Grant Your Service Account Google Drive Access

How you grant access depends on whether you are connecting a personal Gmail account or a Google Workspace (G Suite) account.

### For Personal Gmail Users

For personal accounts, you must manually share specific files or folders with the service account.

1. Open [Google Drive](https://drive.google.com/) in your web browser.
2. Locate the specific files or folders you want Airia to access.
3. Share these items with the `client_email` found in your service account JSON key.
4. Set the appropriate permissions (e.g., `Viewer` for read-only access, or `Editor` for write access, depending on your Airia needs).

### For Google Workspace Users

For Google Workspace users, you have three options to grant access, depending on the desired scope:

#### Option 1: Manual Sharing

This method is the same as for personal Gmail users and provides access to specific files or folders.

1. Open [Google Drive](https://drive.google.com/) in your web browser.
2. Locate the specific files or folders you want Airia to access.
3. Share these items with the `client_email` from your service account JSON key.
4. Set the appropriate permissions (e.g., `Viewer`, `Editor`).

#### Option 2: Shared Drive Access

This method is ideal for connecting an entire Shared Drive (formerly Team Drive) to Airia.

1. **Create a Shared Drive (if needed):**
   * Go to Google Drive > **Shared Drives**.
   * Click **+ New**.
   * Enter a name and click **Create**.
2. **Add Members:**

   * Open the Shared Drive you want Airia to access.

   * Click **Manage members**.

   * Add the `client_email` from your service account JSON key as a member.

   * Set the role to `Content manager` (minimum required) or `Manager`.

   * Click **Send**.

   > 💡 **Note**: If you plan to use Domain-Wide Delegation (Option 3) to impersonate a Workspace user, you would add the *impersonated Workspace user* to the Shared Drive instead of the service account itself.

#### Option 3: Enable Domain-Wide Delegation (DWD)

Domain-Wide Delegation (DWD) allows your service account to impersonate users within your Google Workspace domain and access their My Drive and Shared Drives without manual sharing. This requires Google Workspace Super Admin access.

##### A. Enable DWD in Google Cloud Console

1. In Google Cloud Console, navigate to your Service Account details (IAM & Admin > Service Accounts > \[Your Service Account]).
2. Click **Edit**.
3. Check the box for **Enable Google Workspace Domain-wide Delegation**.
4. Enter a **Product name for the consent screen** (e.g., `Airia Drive Connector`).
5. Click **Save**.
6. Copy the **Client ID** displayed under "Domain-wide Delegation". You will need this in the next step.

##### B. Authorize the Service Account in Google Admin Console

This step requires Google Workspace Super Admin privileges.

1. Log in to the [Google Admin Console](https://admin.google.com/) using a super admin account.
2. In the left menu, go to **Security** > **API Controls** > **Domain-wide Delegation**.
3. Click **Add New**.
4. **Client ID**: Paste the **Client ID** of your service account that you copied from the Google Cloud Console.
5. **OAuth Scopes**: Paste the required OAuth scopes, comma-separated. For Google Drive access with impersonation, common scopes include:
   * `https://www.googleapis.com/auth/drive.readonly` (for read-only access)
   * `https://www.googleapis.com/auth/drive` (for full read/write access)
6. Click **Authorize**.

***

## Google Drive Authentication Options Summary

| Option                                     | Use Case                                                 | Access Scope                                                      | User Type                  | Setup Required by Customer                                      | Notes                                   |
| :----------------------------------------- | :------------------------------------------------------- | :---------------------------------------------------------------- | :------------------------- | :-------------------------------------------------------------- | :-------------------------------------- |
| **Option 1: Manual Sharing**               | Connect specific individual files or folders             | Only shared items                                                 | Personal Gmail & Workspace | Share via Google Drive UI                                       | Easiest setup; limited access           |
| **Option 2: Shared Drive Access**          | Connect an entire Shared Drive                           | Entire Shared Drive                                               | Workspace Only             | Create Shared Drive and add service account as member           | Ideal for team-wide data access         |
| **Option 3: Domain-Wide Delegation (DWD)** | Impersonate any user in the domain to access their Drive | Full Drive access of impersonated user (My Drive & Shared Drives) | Workspace Only             | Admin must: Enable DWD, Authorize scopes, Provide user email(s) | Most powerful; full domain-level access |

***

## Connect Google Drive to Airia

After setting up your Google Service Account and granting it access, follow these steps in the Airia platform to create your Google Drive data source.

### 1. Create Credentials in Airia

1. In Airia, go to **Settings** > **Credentials**.
2. Click **Add credentials**.
3. Select **Google Service Account** as the **Credential Type**.
4. **Service account credentials**: Open the `.json` file you downloaded earlier and copy its entire content. Paste this JSON into the field.
5. **Application name**: Enter a name that helps you identify this service account in your Google Cloud Console logs (e.g., `Airia Drive Data Source`).
6. **Impersonate user**:
   * If you *did not* enable Domain-Wide Delegation (DWD), use the `client_email` from your JSON secret.
   * If you *did* enable Domain-Wide Delegation (DWD), type in the email address of the specific Google Workspace user whose Drive you want to access (e.g., `user@yourdomain.com`).
7. Select the **Project** within Airia where you want to use these credentials.

### 2. Create the Google Drive Data Source

1. In Airia, go to the **Connectors library** and select the **Google Drive (Service Account)** connector.
2. Provide a **Name** for your data source (e.g., `Marketing Team Drive`).
3. Select the **Project scope** (choose between **All projects** or a **Single project**).
4. From the dropdown menu, select the credentials you created in the previous step.
5. In the **Select folders** section, you can choose to sync content from:
   * **My Drive**: Content owned by the impersonated user (if DWD is enabled) or manually shared with the service account.
   * **Shared drives**: Shared Drives where the service account (or impersonated user) is a member.
     You can browse and select specific folders to sync.

## Enforce Permissions for Google Drive Data Sources

Airia filters Google Drive query results based on the end-user's access permissions to the files.

### Prerequisites

To enable permission enforcement for your Google Drive data source:

* **Single Sign-On (SSO)** must be enabled for your Airia project.
* **Permission check** must be enabled when configuring the specific data source (e.g., when setting up the Google Drive data source).
* For Google Drive, only for users who have edit access to the files will be able to view files or retrieve any content from these files.
* For more information on how permissions work, see [Permissions Enforcement Overview](https://explore.airia.com/integrations/Data-Source-Connectors/Permissions%20Enforcement).

> ⚠️ Warning:
> For Google Drive, platform users' UI access to file details depends on their original file permissions:
>
> * Users with **edit access** to the original Google Drive files can view the file names and their content (SQL table, chunks, Binder) within the platform UI.
> * Users without **edit access** to the original Google Drive files will see file names redacted and cannot view file content in the platform UI.

***

## Manage Your Google Drive Data Source

Once your Google Drive data source is connected, you can manage its synchronization and settings within the Airia platform.

1. From the data source list in your Airia project, select your Google Drive data source.
2. Click the **option menu**.
3. From here, you can:
   * **Manually re-sync** the data source to pull the latest content immediately.
   * **Schedule a sync** to set up automatic synchronization intervals. For more details on scheduling, refer to the [Schedule a Sync](https://explore.airia.com/integrations/Data-Source-Connectors/schedule-a-sync) documentation.
   * **Edit** the data source to change its name, project scope, or the specific folders selected for ingestion.