Credentials
google
Google Service Account

Google: Service Account

Using service accounts is more complex than OAuth2. Before you begin:

Prerequisites

Set up Service Account

There are four steps to connecting your n8n credential to a Google Service Account:

  1. Create a Google Cloud Console project.
  2. Enable APIs.
  3. Set up Google Cloud Service Account.
  4. Finish your n8n credential.

Create a Google Cloud Console project

First, create a Google Cloud Console project. If you already have a project, jump to the next section:

Enable APIs

With your project created, enable the APIs you'll need access to:

Set up Google Cloud Service Account

  1. Access your Google Cloud Console - Library (opens in a new tab). Make sure you're in the correct project.

    The project dropdown in the Google Cloud top navigation

    Check the project dropdown in the Google Cloud top navigation

  2. Open the left navigation menu and go to APIs & Services > Credentials. Google takes you to your Credentials page.

  3. Select + Create credentials > Service account.

  4. Enter a name in Service account name and an ID in Service account ID. Refer to Creating a service account (opens in a new tab) for more information.

  5. Select Create and continue.

  6. Based on your use-case, you may want to Select a role and Grant users access to this service account using the corresponding sections.

  7. Select Done.

  8. Select your newly created service account under the Service Accounts section. Open the Keys tab.

  9. Select Add key > Create new key.

  10. In the modal that appears, select JSON, then select CREATE. Google saves the file to your computer.

Finish your n8n credential

With the Google project and credentials fully configured, finish the n8n credential:

  1. Open the downloaded JSON file.
  2. Copy the client_email and enter it in your n8n credential as the Service Account Email.
  3. Copy the private_key. Don't include the surrounding " marks. Enter this as the Private Key in your n8n credential.
⚠️

Older versions of n8n: If you're running an n8n version older than 0.156.0, replace all instances of \n in the JSON file with new lines.

  1. Optional: Choose if you want to Impersonate a User (opens in a new tab) (turned on).
    1. To use this option, you must Enable domain-wide delegation for the service account as a Google Workspace super admin.
    2. Enter the Email of the user you want to impersonate.
  2. If you plan to use this credential with the HTTP Request node, turn on Set up for use in HTTP Request node.
    1. With this setting turned on, you'll need to add Scope(s) for the node. n8n prepopulates some scopes. Refer to OAuth 2.0 Scopes for Google APIs (opens in a new tab) for more information.
  3. Save your credentials.

Video

Troubleshooting

Service Account can't access Google Drive files

/// danger | No access to my drive Google no longer allows Service Accounts created after April 15, 2025 to access my drive. Service Accounts now only have access to shared drives.

While not recommended, if you need to use a Service Account to access my drive, you can do so by enabling domain-wide delegation. You can learn more in this post in the community (opens in a new tab). ///

A Service Account can't access Google Drive files and folders that weren't shared with its associated user email.

  1. Access your Google Cloud Console (opens in a new tab) and copy your Service Account email.
  2. Access your Google Drive (opens in a new tab) and go to the designated file or folder.
  3. Right-click on the file or folder and select Share.
  4. Paste your Service Account email into Add People and groups.
  5. Select Editor for read-write access or Viewer for read-only access.

Enable domain-wide delegation

To impersonate a user with a service account, you must enable domain-wide delegation for the service account.

⚠️

Not recommended: Google recommends you avoid using domain-wide delegation (opens in a new tab), as it allows impersonation of any user (including super admins) and can pose a security risk.

To delegate domain-wide authority to a service account, you must be a super administrator for the Google Workspace domain. Then:

  1. From your Google Workspace domain's Admin console (opens in a new tab), select the hamburger menu, then select Security > Access and data control > API Controls.
  2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
  3. Select Add new.
  4. In the Client ID field, enter the service account's Client ID. To get the Client ID:
    • Open your Google Cloud Console project, then open the Service Accounts (opens in a new tab) page.
    • Copy the OAuth 2 Client ID and use this as the Client ID for the Domain Wide Delegation.
  5. In the OAuth scopes field, enter a list of comma-separate scopes to grant your application access. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
  6. Select Authorize.

It can take from 5 minutes up to 24 hours before you can impersonate all users in your Workspace.

Google OAuth2 single serviceOverview