Prisma Access Browser
Cloud Provider - Google Drive
Table of Contents
Cloud Provider - Google Drive
This document contains the directions for integrating Google Drive as the cloud
provider
Google Drive Prerequisites
These are the prerequisites for configuring Google Drive as your cloud provider:
- Super Admin role in the Google Workspace Admin Console.
- Role on a Google Cloud Platform (GCP) project. You need one of the following
toles:
- Service Account Creator (roles/iam.serviceAccountCreator)
- Service Account Key Admin (roles/iam.serviceAccountKeyAdmin)
- Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
- Project Editor role (roles/editor)
End users require a valid Google Workspace License. The supported SKUs include:
- Google Workspace Business Starter
- Google Workspace Business Standard
- Google Workspace Business Plus
- Google Workspace Enterprise Standard
- Google Workspace Enterprise Plus
Configuring Microsoft OneDrive as the Cloud Provider
This document outlines the steps required to onboard Google Drive as a cloud
Storage Provider for use with Prisma Access Browser’s Save to Cloud feature.
This process involves configuring access through Google Cloud Platform (GCP) and
delegating domain-wide authority in the Google Workspace Admin Console.
- Enable the Google Drive API in GCP.
- Open a browser tab and navigate to the Google Cloud Console.Select or create a project that will be used for the integration.In the left side menu, go to APIs & Services → Enabled APIs and Services.Click Enable APIs & Services.
![]()
Select Google Drive API and click Enable on the details page.![]()
Create a Service Account.- In the Google Cloud Console, go to the project you selected in the previous step.Navigate to IAM & Admin and select Service Accounts.Click + Create service account.
- Enter a Service account name. This name will be displayed in the Google Cloud Console.
- Click Create and continue to generate the Service account ID. You can edit it, if needed.
- Optionally, enter a Service Account description.
- Click Done.
![]()
Continue through the steps until the service account is created.Generate a Private Key (JSON)- Locate your newly-created service account in the list.Click the More (⋮) icon under the Actions field, and select Manage Keys.
![]()
Click ADD KEY → Create new key.![]()
Choose JSON as the key type and click Create.![]()
The system downloads a private key file to your computer. Store this file securely; it authenticates the service account.Retrieve the Client ID- Go back to the Service Accounts page in the Cloud Console.Click the name of your service account to open its details.Under the Details tab, locate the Client ID and copy it. You will use this in the next step.
![]()
Delegate Domain-Wide Authority in Google Workspace.- Open a browser and navigate to theGoogle Admin Console.Sign in using a Super Admin account.From the left-hand menu, go to Security → API Controls.Scroll to the Domain-wide delegation section and click Manage Domain Wide Delegation.
![]()
Click Add new to add a new Client ID.In the Client ID field, paste the ID you copied from your service account.In the OAuth Scopes field (comma-delimited), enter the following scopes:- https://www.googleapis.com/auth/drive.file
- https://www.googleapis.com/auth/drive.metadata.readonly
These scopes allow the service account to access and manage Google Drive files on behalf of users within the domain.![]()
Click Authorize to complete the delegation process.Why are the Scopes required?These scopes adhere to the principle of least privilege, ensuring the application only has the permissions required to perform its core functions — securing connections and managing file downloads effectively to the organizational cloud.These scopes allow the service account to access and manage Drive files on behalf of users within the domain.drive.metadata.readonly Used to list folders in the user's drive drive.file Used to upload files to the user's drive By using domain-wide delegation, Prisma Access Browser can upload files to an end-user's Google Drive without any user interaction. This process leverages the user's browser sign-in context, eliminating the need for them to be actively signed into Google.For security, Prisma Access Browser uses a short-lived access token to upload files to Google Drive. This token is created only when a file download triggers a matching cloud storage rule and is strictly scoped to the signed-in user, which prevents extensive access.Create the integration with the Prisma Access Browser Console.- Go to the Prisma Access Browser admin console and select Integrations.Select Cloud Storage.Click on either +add provider or Connect your first provider.
![]()
Select Google.Insert a descriptive name for connection; for example, your Google tenant name.Upload the JSON file.Enter an email to verify permissions.- This step secures your organization’s data and enhances user productivity by integrating with your managed cloud storage services. Instead of allowing direct file downloads to user devices, our 'Save to Cloud' feature automatically redirects them to your organization’s cloud storage.This method ensures that you can enforce your data protection policies and give users seamless access to their files across all their devices, which supports better collaboration and a smoother workflow.
- To ensure that you have configured the permissions correctly, you must use the email of an active, licensed user in your organization. The system uses this email solely for a permissions check; it will not send emails or upload any files to the account.
Click Test provider connection to verify the connection with Google.Once the test is successful, click Add Provider.
