Vertex AI Search — Drive and Gmail Data Stores Return Zero Results (Calendar Works)

Google Cloud Build with AI Agents
1

Vertex AI Search — Drive and Gmail Data Stores Return Zero Results (Calendar Works)

Hi everyone,

I’m hoping someone from Google or the community can help with an issue I’ve been stuck on for a while. I’ve exhausted every configuration option I can find in the documentation.

The Problem

I have a Vertex AI Search custom search app (created via AI Applications, pay-as-you-go — not Gemini Enterprise per-seat) with four connected Google Workspace data stores: Calendar, Groups, Drive, and Gmail. All four data stores show Active status.

Calendar and Groups return results correctly. Drive and Gmail return zero results.

This happens in both the internal Preview UI and when querying the Discovery Engine API directly via Cloud Shell. There are no errors anywhere — not in the API response, not in Cloud Logging. The API returns HTTP 200 with an empty results array:

{
  "attributionToken": "...",
  "guidedSearchResult": {},
  "summary": {},
  "queryExpansionInfo": {},
  "semanticState": "DISABLED"
}

When I attempt ListDocuments on the Drive data store, I get the expected "ListDocuments is not available for an acled datastore" — confirming the data store is recognized as access-controlled. But searches return nothing.

What I’ve Verified

I’ve methodically worked through every configuration item in both the Vertex AI Search and Gemini Enterprise connector documentation:

Identity & Authentication

  • Google Identity configured as the identity provider for all three locations (global, us, eu) in AI Applications → Settings → Authentication

  • Authenticated with a managed Google Workspace account (not a consumer @gmail.com)

  • User is Workspace super admin and GCP Project Owner

APIs Enabled

  • Google Drive API, Gmail API, Google Calendar API, People API, Discovery Engine API, Vertex AI API — all enabled

OAuth Configuration

  • OAuth 2.0 Web Application client created

  • Gmail data store was created with OAuth client ID and secret verified (“Verify Auth” succeeded with green checkmark during data store creation)

  • Drive data store creation flow did not prompt for OAuth credentials (appears to be by design)

  • OAuth consent screen configured with required scopes

  • Authorized redirect URIs include https://vertexaisearch.cloud.google.com/oauth-redirect

Domain-Wide Delegation (Admin Console → Security → API Controls)

  • OAuth client delegated with scopes: drive.readonly, gmail.readonly, calendar.readonly, contacts.readonly

  • The pre-existing “Google Workspace Data Migration Service” client has calendar scope (which may explain why Calendar works); attempted to add drive.readonly, gmail.readonly, contacts.readonly to this entry as well

Google Workspace Admin Settings

  • Smart features in Gmail, Chat, and Meet: ON

  • Smart features in Google Workspace services: ON

  • Smart features in other Google products: ON

  • Workspace access to Cloud Platform apps: ON for all users

App Configuration

  • Enterprise edition features: Enabled

  • Generative Responses: Enabled

  • Search type: Search with an answer

  • All four data stores connected and showing Active status

What I’ve Tried

  1. Enabled People API (was initially missing)

  2. Added OAuth scopes to consent screen (was initially empty)

  3. Deleted and recreated both Drive and Gmail data stores

  4. Recreated Gmail data store with OAuth “Verify Auth” step completed successfully

  5. Updated Domain-Wide Delegation with Drive/Gmail/Calendar/Contacts scopes for multiple client entries

  6. Verified all smart features, Workspace access, and identity provider settings

  7. Waited several hours for propagation after each change

  8. Tested via Preview UI, Cloud Shell API calls, and an external search widget

None of these resolved the issue.

Key Observations

  1. Calendar works, Drive and Gmail do not — Calendar appears to use a real-time API passthrough that works with existing delegation. Drive and Gmail seem to use a different authentication chain that is failing silently.

  2. Completely silent failure — No errors in Cloud Logging, no errors in the API response. The service simply returns zero results for Drive/Gmail as if no data exists.

  3. Cannot identify the Discovery Engine service agent’s numeric Client ID — The service account service-<PROJECT_NUMBER>@gcp-sa-discoveryengine.iam.gserviceaccount.com exists in IAM but returns 403/404 when queried via API and does not appear in gcloud iam service-accounts list. I cannot determine if this agent needs its own Domain-Wide Delegation entry or what Client ID to use.

  4. Similar reports from other users — I found a thread on this forum from October 2025 titled “Vertex AI DataStore unable to Index Google Drive Shared Drive” describing the identical symptom. The suggested resolution was to contact Google Cloud support for backend investigation.

Questions for Google

  1. Does the Discovery Engine service agent require Domain-Wide Delegation to query Drive and Gmail APIs on behalf of Workspace users? If so, what is its numeric OAuth 2 Client ID? (It’s not queryable via standard IAM APIs.)

  2. Do Vertex AI Search (AI Applications, pay-as-you-go) Workspace data connectors for Drive and Gmail require any additional licensing, entitlements, or backend enablement beyond what is documented?

  3. Is there a known issue with Drive/Gmail connectors in the “us” region? Would recreating the data stores in “global” resolve this?

  4. Is there any additional Workspace admin setting or GCP IAM role that needs to be configured for the Discovery Engine service agent to access Drive and Gmail data?

Any help would be greatly appreciated. Happy to provide additional details, screenshots, or logs.

Thanks, Matt