How to replace the service account registered in CubeBackup.


CubeBackup relies on Google Cloud service accounts as the authentication token to communicate with your Google Workspace. If you've accidentally removed the service account or project in Google Cloud Platform, or need to change it for security reasons, please follow the step-by-step instructions below:

Step 1. Create a new service account in Google Cloud Platform.

To generate the service account key file, you can use the automatic CubeBackup Service Account Generator or create one manually in Google Cloud Platform (GCP).

The CubeBackup Service Account Generator is a script developed by the CubeBackup team utilizing Google APIs. It can help you create a new project and an associated service account in just one click.

Tips:

  1. The CubeBackup Service Account Generator performs all API requests directly in your browser, and all data transfers are strictly between your browser and Google's servers.

  2. The CubeBackup Service Account Generator is subject to the Privacy policy and Terms of services . If you have any questions, feel free to reach out to us at [email protected].

Initializing ...

Please follow the instructions below:

  1. Click the button above.
  2. In the pop-up dialog, sign in using a Google account.

    Tip: We recommend using a Google Workspace admin account so that you can take steps to protect this project from accidental changes that could disrupt future backups.

  3. Check the Select all box to grant all necessary permissions for the CubeBackup Service Account Generator.

  4. The service account key file will be automatically downloaded to your local storage. If the download does not start properly, please click the link ' cubebackup_service-account-key.json' to manually download it.

  5. After downloading the service account key file, please return to the CubeBackup setup page, and click the Choose File button to select this JSON key file.

    Note: If you run into any errors while using this script, please try to "Manually create a service account" or contact us at [email protected].

You can also manually create a service account in Google Cloud Platform and use it in the setup wizard. Please follow the instructions below or watch the demo:


  1. Log in to Google Cloud Platform (GCP) .

    Tip: We recommend using a Google Workspace admin account so that you can take steps to protect this project from accidental changes that could disrupt future backups.

  2. Create a new project. Google Cloud Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Begin by creating a new project.

    • Go to the Projects page in the Google Cloud Console.

      Tip: This page can be opened by either clicking the above link or selecting IAM & admin > Manage resources in the navigation menu. The navigation menu slides out from the left of the screen when you click the main menu icon in the upper left corner of the page.

    • Click CREATE PROJECT.

    • In the New Project page, enter "CubeBackup" as the project name and click CREATE.

      You can leave the Location and Organisation fields unchanged. They have no effect on this project.

    • The creation of the project may take one or two minutes. After the project has been created, click the newly created project in the Notifications dialog to make it the active project in your dashboard (you can also select your newly created project in the project drop-down list at the top of the page to make it the active project).

      Active Project

      Note: Please make sure this project is the currently active project in your console before continuing!

  3. Enable Google APIs.

    • Now open the API Library page by selecting APIs & services > Library from the navigation menu.
    • Search for Google Drive API, then on the Google Drive API page, click ENABLE (Any "Create Credentials" warning message can be ignored, because service account credentials will be created in the next step).
    • Next, go back to the API Library page and follow the same steps to enable Google Calendar API, Gmail API, Admin SDK API, and Google People API.
      > To check whether all necessary APIs have been enabled, please select APIs & Services > Dashboard from the navigation menu, and make sure Admin SDK API, Gmail API, Google Calendar API, Google Drive API and People API are all included in the API list.

  4. Create a Service account.

    • Select IAM & Admin > Service Accounts in the navigation menu.
    • Click +CREATE SERVICE ACCOUNT.
    • In the Service account details step, enter a name for the service account (e.g., cubebackup) and click CREATE AND CONTINUE.
    • In the second step, select "Basic" > "Owner" (or "Project" > "Owner") as the Role, then click CONTINUE.
    • Click DONE directly in the Grant users access to this service account step.
    • On the Service accounts page, click directly on the service account you just created (Don't just check the box, click the email link). This should take you to the Service account details page.
    • Select the KEYS tab of the service account.
    • Click ADD KEY > Create new key.
    • Select JSON as the key type, then click CREATE.
    • Close the dialog that pops up and save the generated JSON key file locally (This file will be used as the service account key in CubeBackup's configuration wizard).

  5. Return to the CubeBackup setup page. After the Service account key file has been generated and downloaded to your local computer, click the Choose File button to select the JSON key file generated in the last step.

For Google Cloud storage users, please be sure to follow the steps below to assign the new service account permissions to access your Google Cloud Storage bucket. For on-premises or other cloud storage users, you can skip to Step 2 directly.

  1. Go to the IAM page in the Google Cloud Console.
  2. In the project dropdown menu at the top of the page, make sure to select the project where your Google Cloud storage bucket is located, and make it the active project.
    GCP Active Project
  3. Click the + GRANT ACCESS button. A Grant access to ... dialog will slide out from the right.
  4. Copy the email address of this newly-created service account. You can find it by opening the service account key file in a text editor and copying the value of the "client_email" field.
  5. Paste the service account email address into the New principles textbox.
  6. In the Select a role field, search for the Storage Object User and select it as the assigned role.
  7. Click SAVE.

Step 2. Authorize the service account in the Google Admin console.

After creating a Google service account, the created service account needs to be authorized to access your Google Workspace data through Google APIs. Please follow the instructions below or watch the demo.

All operations in this step must be performed by an administrator of your Google Workspace domain.

  • Open the service account JSON key file using a text editor and copy the value of the client_id field. service account client id
  • Sign in to the Google Admin console using an administrator account in your domain.
  • From the main menu in the top-left corner, select Security > Access and data control > API controls.
  • Click MANAGE DOMAIN WIDE DELEGATION in the "Domain wide delegation" section.
  • In the Domain-wide Delegation page, click Add new.
  • In the Client ID field, enter the service account's Client ID copied from the service account key file.
  • In the OAuth Scopes field, copy and paste this list of scopes:

    https://www.googleapis.com/auth/admin.directory.domain.readonly,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
    https://mail.google.com/,
    https://www.googleapis.com/auth/drive,
    https://www.googleapis.com/auth/calendar,
    https://www.googleapis.com/auth/contacts, 
    https://sites.google.com/feeds/ 
  • Click AUTHORIZE. Google Workspace Domain Authorization

  • If the CubeBackup instance manages multiple Google Workspaces simultaneously, please repeat the following steps for all domains under your control.

Step 3. Replace the service account key file

  • Rename the newly-generated service account key file as jwt.json.
  • Replace the service account key file <installation directory>/db/jwt.json on the CubeBackup server with the newly-created one.

    By default, the installation directory is C:\Program Files\CubeBackup4 on Windows, and /opt/cubebackup on Linux.

  • For Linux and Docker users, please change the ownership of this new service account key file to cbuser.

    sudo chown cbuser:cbuser /opt/cubebackup/db/jwt.json

Step 4. Restart the CubeBackup service

Restart the CubeBackup service using the following command.

Please run this command.

sudo /opt/cubebackup/bin/cbsrv restart

Open a Command Prompt as Administrator, and run this command.

"C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart

Open the Windows PowerShell as Administrator, and run this command.

& "C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart

Please run this command to restart the container.

sudo docker restart <container-name>

Step 5. Confirm that everything is operating correctly

CubeBackup should now work with the new service account. You should perform a test restore and backup to confirm that everything is operating correctly.

If you need additional assistance, please do not hesitate to contact [email protected].