/
Google

Google

Owned by Timothy Vermeiren
Last updated: May 08, 2025

In the context of the “Google integration”, there are several relevant areas:

  • 📍 Google Cloud Storage can be used in the context of Bring Your Own (Cloud) Storage, which is used across Orbit One and by Connect for storing content (e.g. a downloaded workbook).

  • 📍 Google Chat is relevant for the Insight Messaging Module, as well as general Orbit One notifications.

  • 📍 Google Sheets is relevant for the Broadcast Module, the Insight Messaging Module, and more. It can be used as a source to define a Broadcast Task or burst an Insight Messaging Task to tons of users! Similarly, it can be used with the Admin Superpower “Cost Center Cross-Charge Calculator” to ingest a user to cost center mapping.

  • 📍 Google BigQuery is one of the platforms that Orbit One can connect to, for actually managing and consuming analytics Entities in BigQuery.

These steps are to be performed by/with a Google Cloud Platform administrator in your organization, as well as a Google Workspace administrator if required.

Service Account(s)

Google (Cloud) Service accounts are used to authenticate Orbit One to your Google Services. A single account can be used to represent Orbit One, or multiple accounts can be used to separate each Module or service.

Instructions

  1. Create an “Orbit One” Google Cloud project (optional but recommended): consider creating a project on Google Cloud to group all resources that will be linked to Orbit One. That includes the service accounts below, storage buckets, etc.

  2. Create a service account

    1. Login to your Google Cloud Management Console, go to IAM & Admin and choose the Service Accounts tab. From there, click on Create Service Account. Make sure you are in the adequate project in which the resources will be created and billed. “Resources” can refer to Cloud Storage resources (buckets) in the context of setting up storage for Orbit One, or other resources when using the service account for other Modules.

    2. Choose an adequate service account name, for example orbit-one, and optionally add a brief description. Finally, we need to give access rights to our SA. The access rights to be granted depend on the use of our service account with Orbit One:

      1. If we’re creating a single, global Orbit One service account: all of the options below are needed.

      2. For Cloud Storage: Cloud Storage: Storage Admin. (Might be represented as a role named Storage Admin).

      3. For Google Chat: None; the bot will be added to Google Chat spaces directly.

  3. Gather the API Key

    1. Now that we’ve created the SA, we need to generate its respective key, which will allow us to authenticate when using the API. Click on the email address of your newly created SA, displayed in your list of service accounts. The email address will look something like “orbit-one@project-name.gserviceaccount.com”. Then go to the Keys tab, click on Add Key > Create New Key and select JSON as key type. This will download a JSON file to your PC, which includes they key needed to authenticate to your GCP console. Make sure this is stored securely.

    2. Provide the key to Orbit One in the Cloud Storage Credentials interface.

Cloud Storage

Creating a Cloud Storage Bucket, to which the service account created in the previous step has access.

  1. In the Google Cloud Management Console, go to Storage and choose the Buckets tab.

  2. Create a new bucket with the following details:

    1. Name: choose an adequate bucket name, e.g.: orbit-one. You’ll also have to provide this name in the Orbit One configuration for your cloud storage.

    2. Region: at your discretion; for Biztory, Orbit One is currently hosted in GCP in Europe West1 (Belgium).

    3. Storage class: Standard.

    4. Access control:

      1. Effectively Prevent public access

      2. Choose Uniform access control.

    5. Protection tools: none.

Google Chat

This is something that will definitely have to be replaced by a Biztory published app once it is going to be used publicly.

Prerequisites, mostly from this article (and these specific steps with the context of chat.bot in mind):

  • Ensure the Google Chat API is enabled for the Google Cloud Project the service account was created in.

  • Configure the OAuth consent screen on Google Cloud in API and services. Audience can be set to internal.

  • Ensure the service account has a Google Workspace Marketplace-compatible OAuth client configured:

    • Select the service account from here (in IAM and Admin / Service accounts)…

    • Go to Advanced Settings, enable the “Google Workspace Marketplace OAuth client”.

  • Ensure the Chat app is configured in the Google Workspace Marketplace SDK. This includes:

    • Enabling the Google Workspace Marketplace SDK.

    • The App Configuration screen for the above. (Private is fine for visibility, Invidual + Admin is needed for installation settings, Chat app is the one required integration).

    • Complete the Store listing tab for the above as well. Complete all the info on the tab, then save draft, then publish.

  • Ensure the Google Chat API app configuration is also taken care of.

    • Ensure Interactive Features are enabled, especially “Join spaces and group conversations”, so the bot can join spaces it’s added to.

    • At least one Connection Setting will have to be added here as well. We can opt for HTTP endpoint URL, and provide an endpoint URL that is part of the Orbit One domain. Our app will not actually be listening here, but it has to be provided.

  • Finally, it should then be possible to add the Marketplace App to a Chat Space when logged in as an admin:

    CleanShot 2024-12-23 at 15.45.17-20241223-144525.png
    That was a lot of effort.

  • At least, you would have thought so. But somehow no space can be selected in that menu. Sometimes. No idea what’s going on.

Google Sheets

To use Google Sheets with Orbit One and a Google Cloud Service Account, ensure that the Google Sheets API is enabled in the project in which the Service Account was created. Moreover, ensure that the Google Cloud Service Account has been granted access to the sheets that will be used.

Google BigQuery

To use Google BigQuery with Orbit One and a Google Cloud Service Account, ensure that the Google BigQuery API is enabled in the project in which the Service Account was created. Moreover, ensure that the Google Cloud Service Account has been granted access to the BigQuery resources that will be consumed and managed in Orbit One.

2025-03-24: this is a new feature; the minimum access is still being researched. This will impact e.g. how BigQuery users can be queried and managed, until we figure out how user management is done. Same for other Entity types.

Minimum Permissions

Typically, you would grant access to the appropriate data sets through the usual Google BigQuery IAM flow. Usage with Orbit One been tested, currently, by granting the service account:

  • The BigQuery Data Viewer role in the project in which the data is stored.

  • The BigQuery Connection User role in the project in which the data is stored.

  • The BigQuery Job User role in the project in which the data is stored (because queries are run as jobs).

Related content