Fishbowl
Browse documentation

Google Workspace: Service Account (Application Credentials)

This method uses a Google Cloud service account with domain-wide delegation to access room calendars. Credentials are entered once during device linking and encrypted for each device. No interactive sign-in is required on the device itself.

You will need access to the Google Cloud Console and the Google Admin Console with Super Admin privileges.

  1. Create a Google Cloud project
  2. Create a service account
  3. Enable the Google Calendar API
  4. Grant domain-wide delegation
  5. Create a service account key
  6. Configure Fishbowl

Before starting, make sure you have Calendar resources set up. See Google Workspace Configuration for instructions.

1. Create a Google Cloud project

If you already have a Google Cloud project, you can skip this step.

  1. Go to the Google Cloud Console.
  2. Click the project dropdown at the top of the page and click New Project.
  3. Enter a project name (e.g. "Fishbowl") and click Create.
  4. Make sure the new project is selected in the project dropdown.

2. Create a service account

  1. In the Google Cloud Console, navigate to IAM & Admin > Service Accounts.
  2. Click + Create Service Account.
  3. Enter a name (e.g. "Fishbowl Calendar Access") and an optional description.
  4. Click Create and Continue.
  5. You can skip the optional "Grant this service account access to project" and "Grant users access to this service account" steps. Click Done.
  6. On the Service Accounts list, note the email address of the service account you just created (e.g. [email protected]). You will need this in a later step.

3. Enable the Google Calendar API

  1. In the Google Cloud Console, navigate to APIs & Services > Library.
  2. Search for "Google Calendar API".
  3. Click on Google Calendar API and then click Enable.

4. Grant domain-wide delegation

This step authorises the service account to access calendars in your Google Workspace domain.

  1. In the Google Cloud Console, go to IAM & Admin > Service Accounts.
  2. Click on the service account you created.
  3. Click on Advanced settings or go to the Details tab. Find and copy the Client ID (a numeric value).
  4. Open the Google Admin Console in a new tab.
  5. Navigate to Security > Access and data control > API controls.
  6. Click Manage Domain Wide Delegation.
  7. Click Add new.
  8. In the Client ID field, paste the Client ID you copied from the service account.
  9. In the OAuth scopes field, enter: https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/calendar.events
  10. Click Authorize.

5. Create a service account key

  1. Go back to the Google Cloud Console.
  2. Navigate to IAM & Admin > Service Accounts.
  3. Click on the service account you created.
  4. Go to the Keys tab.
  5. Click Add Key > Create new key.
  6. Select JSON as the key type and click Create.
  7. A JSON file will be downloaded. Keep this file safe. It contains the private key that grants access to your calendars and cannot be downloaded again.

6. Configure Fishbowl

  1. When linking devices on the Fishbowl web dashboard, select Google as the calendar type.
  2. Select Service Account as the authentication method.
  3. Enter an impersonation account. This is the email address of any user in your Google Workspace domain with appropriate read and write permissions. We recommend creating a user for Fishbowl specifically. The service account will impersonate this user to access room calendars.
  4. Paste the contents of the JSON key file you downloaded in the previous step.
  5. For each device, enter the Calendar ID of the room resource. You can find this in the Google Admin Console under Apps > Google Workspace > Calendar > Resources, or in Google Calendar by opening the resource calendar's settings and looking for the "Calendar ID" field (it usually looks like [email protected]).