This is a guide to onboard a school on to the GC Service.

Who can access those websites and set up the Service Account?
Only the school’s IT Admin user can set up those accounts and utilize the right permissions using the school’s email’s Suite domain account.
GC Service is a background data pipeline service between Google Classroom and Firefly Systems. The GC uses service-to-service authentication, to authenticate with Google Classroom using Google Service Accounts and Google OAuth.

School IT administrators, will need to follow the two steps as listed below.

Onboarding Process

Setting up Google Workspace accounts

  • IT School Administrators will need to set up Google Workspace accounts. This is required for using the Google Classroom system. This is a prerequisite step for Step 2 below.

We expect School IT Administrators that use Google Classroom Service to already have Google Workspace accounts. It is a prerequisite for using Google Classroom Services. The School IT Administrator will need to use their Google Workspace email account for STEP 2.

Setting up Google Service accounts

  • IT school Administrators will need to create Google Service Accounts using their Google Workspace accounts.

How to Set up Google Service Accounts


Use these links to services for Setting up Google Service Account:

https://admin.google.com/

https://console.cloud.google.com/


Who can access these websites and set up the Service Account?
Only the school’s IT Admin user can set up those accounts and utilise the right permissions using the school’s email domain account.

Step 1

The IT Admin needs to access https://console.cloud.google.com/ with their Google Workspace domain email.






Step 2

Click on the Navigation Menu as shown in the image to the right.

Step 3

Click on the IAM & Admin then select Service Accounts

Step 4

In the Service Accounts panel, click on CREATE SERVICE ACCOUNT



A project needs to be selected before a Service Account can be created. The project can be selected in the dropdown next to Google Cloud Platform in the top left. Schools may choose to create a new project for the integration.

Step 5

In Create Service Account panel, the user will need to:

  1. CREATE Service Account Details

    • Enter a display name for the account

    • The Service account ID will be created from the display name

    • Optionally enter a description for the account

  2. Grant this service account access to the project (Optional)

    • Click next on this step

  3. Grant users’ access to this service account (Optional)

    • Click next on this step

We will come back to the permissions in a later step.

Step 6

The service account will appear in the Service accounts table. We now need to edit the Service Account.

Step 7

The user needs to specify Service Account details.

Important

  • Expand SHOW DOMAIN-WIDE DELEGATION and click Enable G Suite Domain-wide Delegation

  • In the Keys section, click ADD KEY

  • Create new key then choose JSON and click Create. This will generate a JSON file that needs to be shared with Firefly.

  • Click SAVE

STEP 8

In the Navigations Menu, go to IAM

STEP 9

You should be able to see your email as a member. You will need to edit permissions and assign the role of Service Account User and Owner. This is also very important.

STEP 10

If the APIs and Services are not enabled we need to enable them.

To do this click into the menu in the top left and select APIs and Services, then Dashboard and click  Enable APIs and Services

Search for Google Classroom API and click enable

STEP 11

The JSON file has some very important information that we can use to specify permissions for Google Classroom.

One of the fields is the Client_id. We will use Client_id in the next steps.

Here is an example of the JSON file:

{
"type": "service_account",
"project_id": "project-1",
"private_key_id": "1jh23h65f34o1k234kmj45kdd123kj0top",
"private_key": "-----BEGIN PRIVATE KEY-----\n SOME KEY PRIVATE KEY-----\n",
"client_email": "someproject@project-1.iam.gserviceaccount.com",
"client_id": "13547981038790354279",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/sa-695%4project-1.iam.gserviceaccount.com"
}

We need to use the ClientID and specify permissions.

For that please go to https://admin.google.com/


STEP 12

Click on SECURITY and select API Controls

STEP 13

Click on Manage Domain-Wide Delegation

STEP 14

This is the section where we control permissions for the Google classroom. You will need to Authorise your ClientID (you can find it in the JSON file).

Then input the following scopes (comma-delimited) in the “OAuth Scopes” text area and then click AUTHORISE

https://www.googleapis.com/auth/classroom.courses,

https://www.googleapis.com/auth/classroom.coursework.students,

https://www.googleapis.com/auth/classroom.rosters,

https://www.googleapis.com/auth/classroom.profile.emails

Note: these need to be added in the following format: link1,link2,link3,link4


STEP 15

Once the above steps have been completed the json file needs to be sent to Firefly along with the email address from a super admin account

We would recommend creating a new account for this integration but it must have the super admin role.

(Note this email is different from the one on the service account)