Getting Data In

Why is Splunk Add-on for Google Workspace inputs getting 401 response?

splunk_w_ro
Explorer

I have configured the Splunk Add-on for Google Workspace on a Heavy Forwarder that is performing data collection and then forwarding the data to Splunk Cloud.

We followed the instructions at https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/About both when configuring the Google Cloud service account and configuring the Add-On. I configured the Add-On with the Google Cloud service account with the JSON key generated on console.cloud.google.com and then configured the inputs.

We are not getting any data and when we look at the internal logs from the Heavy Forwarder where the Splunk Add-on for Google Workspace is deployed we are seeing 401 responses like the following:

 

 

 

 

requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.464Z&endTime=2022-06-22T19%3A07%3A10.464Z
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.521Z&endTime=2022-06-22T19%3A07%3A10.521Z

 

 

 

 

We also went through the troubleshooting section of the docs: https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot to no avail

Any guidance from some one who has deployed the GWS Add-On and gotten a 401 after configuring the inputs will be greatly appreciated

Labels (1)
0 Karma
1 Solution

ostap_med
Engager

You need to grand admin privileges in GWS for the account you use in the Username field (the email address that you use as your Google Workspace).

View solution in original post

pablobarquin
Explorer

Hello,

Did you have any luck fixing the issue? we are getting exactly the same error and we are getting crazy trying to make it work but with no luck so far. Any help will be very welcome.

Thanks!

0 Karma

pablobarquin
Explorer

We now have the input working for the admin SDK via GCP for Splunk- Addon, the root cause of the authorization issue was a GCP service account needing to do user impersonation of a GWS account with proper admin rights (not what Splunk support advised).

https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba76...

0 Karma

splunk_w_ro
Explorer

The service account used for this integration needs to have the super admin role as @ostap_med noted. It also needs to match the account in the JSON key that is used when setting up the account within the Splunk TA for Google Workspace

0 Karma

ostap_med
Engager

You need to grand admin privileges in GWS for the account you use in the Username field (the email address that you use as your Google Workspace).

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...