Google Apps Manager (GAM & GAMADV-XTD3) uses two JSON files: client_secrets.json and oauth2service.json. These JSON files can be created on any domain (even a regular gmail.com account, but additional steps required) and can be authorized on any Workspace domains. They are created in .gam folder by default if using GAMADV-XTD3. At any time, you can open the JSON files using your favourite text editor and examine their content.
client_secrets.json
This file is used to run commands as an admin. When you run gam oauth create you can specify what access that you would want to authorize. Commands that you run are typically visible in admin audit log. Unless you are a super admin, you will not be able to call certain APIs such as Domain Shared Contacts API.
oauth2service.json
This file is used to run commands as a user. You will have to first run gam user username@domain.com check serviceaccount to get a link to provide the service account client domain-wide delegation on https://admin.google.com/ac/owl/domainwidedelegation. You do NOT have to authorize all the default scopes. You should make a good note of service account client IDs that are authorized on this screen.
What to do when JSON files have been lost
The service account key, oauth2service.json, must be protected and rotated on a regular basis as it can impersonate every user on your domain. There are a few ways to delete a service account and key, and I will show one of the easiest ways to re-create JSON files without having to create a brand new project.
Step 1: Go to https://console.cloud.google.com/apis/credentials?project=your-project-id
Step 2: Delete OAuth 2.0 Client IDs and Service Accounts (if the project is only used for your GAM Installation)
Step 3: Now that OAuth 2.0 Client and Service Accounts are deleted, we are ready to re-authorize GAM. Type gam use project username@domain.com your-project-id
Step 4: This will provide a link which you can open in the browser. Follow the on-screen instructions to re-authorize GAM Project Creation.
Step 5: Now we are ready to re-authorize your GAM Project. Type gam oauth create and follow on-screen instructions.
Step 6: Now we are ready to re-authorize the service account. Type gam user username@domain.com check service account
Step 7: Open the link that will take you to https://admin.google.com/ac/owl/domainwidedelegation and re-authorize.
Working with Multiple Domains/Tenants
The steps to authorize GAM using the same project for multiple Workspace tenants/instances are a lot similar to above. You will first have to edit your gam.cfg which is typically located in your .gam folder or wherever your JSON files are. You can open the file in your favourite text editor and add a section.
First create a folder inside .gam folder and give it a name which you will be using in your gam.cfg. Make copies of the two JSON files and put them inside the newly created folder. Then edit your gam.cfg so that it has a sectionName of your choosing and use the folderName that you used to create a folder.
[sectionName]
config_dir = folderName
You can now to gam select sectionName save to switch the configuration.
Before you can proceed with authorization, there are a few additional steps that are required.
Step 1: Go to https://console.cloud.google.com/apis/credentials/consent?project=your-project-id
Step 2: Make sure Publishing status is set to In production and User type is set to External
Step 3: Go to https://console.cloud.google.com/apis/credentials and copy the Client ID under OAuth 2.0 Client IDs
Step 3: Go to https://admin.google.com/ac/owl/list?tab=apps on your second domain/tenant and click on Configure new app and select OAuth App Name Or Client ID, and authorize your GAM Project.
Now you can proceed with repeating Steps 5–7 from What to do when JSON files have been lost.
If you want to switch back to the original domain, you can do gam select default save.
