Delegated API Access

You can use your Service accounts to call public Google APIs.  This is called Delegated API Access.

How does it work?

Essentially, your service account receives an OAuth token, which is then used to call the API. So - you are going from service account keys (JSON format in the example below) to tokens.

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.sqladmin.SQLAdminScopes;

// ...

GoogleCredential credential = GoogleCredential.fromStream(new FileInputStream("MyProject-1234.json"))
    .createScoped(Collections.singleton(SQLAdminScopes.SQLSERVICE_ADMIN));

Scope of Delegation? Domain Wide?

If you have delegated domain-wide access to the service account and you want to impersonate a user account, specify the email address of the user account with the createDelegated method of the GoogleCredential object. For example:

GoogleCredential credential = GoogleCredential.fromStream(new FileInputStream("MyProject-1234.json"))
    .createScoped(Collections.singleton(SQLAdminScopes.SQLSERVICE_ADMIN))
    .createDelegated("[email protected]");

Configure Domain Wide Delegation

  1. From your Google Workspace domain's Admin console, go to Main menu  > Security > Access and data control > API Controls.
  2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
  3. Click Add new.
  4. In the Client ID field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
  5. In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
  6. Click Authorize.