Google Workspace Events Subscription Not Working with Service Account

Google Workspace Developers Q&A
,
1

I’m currently implementing a Google Workspace Events API subscription for Google Drive events.

When I create the subscription using OAuth credentials (user-based authentication), the subscription is created successfully and events are delivered as expected.

However, when I attempt to create the same subscription using a Service Account, the subscription either:

  • Gets created but does not receive any events, or

  • Fails during creation (depending on configuration)

The only difference between the two implementations is the authentication method:

  • OAuth (authorized as a Workspace user) - Works

  • Service Account - Does not work

The Service Account has:

  • Google Drive API enabled

  • Required IAM roles configured

  • Proper access to the target Drive (including shared drive access)

My understanding is that Google Workspace Events may require a user context rather than an application/service identity, but I haven’t found clear documentation confirming whether Service Accounts are officially supported for creating Workspace Events subscriptions.

Has anyone successfully created a Google Workspace Events subscription using a Service Account (with or without domain-wide delegation)?
Are there additional requirements or limitations I might be missing?

Any clarification or documentation references would be greatly appreciated.

1 Like
2

Hi @seph1roth Google Workspace Events subscriptions for Drive generally require a real user context. That is why it works with OAuth user credentials and not with a plain Service Account.

A Service Account by itself is not a Workspace user and does not have its own Drive activity context. Even if it has API enabled and IAM roles configured, it will not receive Drive events unless it is impersonating a user through Domain Wide Delegation. In most cases, Workspace Events subscriptions must be created on behalf of a specific user, because events are tied to that user’s data and permissions.

If you want to use a Service Account, you usually need to enable Domain Wide Delegation in Google Workspace Admin, grant the required OAuth scopes, and then impersonate a real Workspace user when creating the subscription. The subscription must be created with the delegated user identity, not the raw Service Account identity.

If you are not using Domain Wide Delegation, then Service Accounts are effectively not supported for this use case. The recommended approach is to create the subscription using OAuth or to properly configure delegation and impersonation.

1 Like
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.