I have configured the Splunk Add-on for Google Workspace on a Heavy Forwarder that is performing data collection and then forwarding the data to Splunk Cloud.
We followed the instructions at https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/About both when configuring the Google Cloud service account and configuring the Add-On. I configured the Add-On with the Google Cloud service account with the JSON key generated on console.cloud.google.com and then configured the inputs.
We are not getting any data and when we look at the internal logs from the Heavy Forwarder where the Splunk Add-on for Google Workspace is deployed we are seeing 401 responses like the following:
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.464Z&endTime=2022-06-22T19%3A07%3A10.464Z
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.521Z&endTime=2022-06-22T19%3A07%3A10.521Z
We also went through the troubleshooting section of the docs: https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot to no avail
Any guidance from some one who has deployed the GWS Add-On and gotten a 401 after configuring the inputs will be greatly appreciated
You need to grand admin privileges in GWS for the account you use in the Username field (the email address that you use as your Google Workspace).
Hello,
Did you have any luck fixing the issue? we are getting exactly the same error and we are getting crazy trying to make it work but with no luck so far. Any help will be very welcome.
Thanks!
We now have the input working for the admin SDK via GCP for Splunk- Addon, the root cause of the authorization issue was a GCP service account needing to do user impersonation of a GWS account with proper admin rights (not what Splunk support advised).
https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba76...
The service account used for this integration needs to have the super admin role as @ostap_med noted. It also needs to match the account in the JSON key that is used when setting up the account within the Splunk TA for Google Workspace
You need to grand admin privileges in GWS for the account you use in the Username field (the email address that you use as your Google Workspace).