How to replace the service account registered in CubeBackup.

CubeBackup relies on Google Cloud service accounts as the authentication token to communicate with your Google Workspace. If you've accidentally removed the service account or project in Google Cloud Platform, or need to change it for security reasons, please follow the step-by-step instructions below:

Step 1. Create a new service account in Google Cloud Platform.

Note: If you are currently using Google Cloud storage, please be sure to create the service account in the same project where your cloud storage bucket is located.

a. Log in to Google Cloud Console.

Google Cloud Console does not require an administrator account. A personal Google account, such as [email protected], or [email protected] is just fine.

b. Create a new project.

Google Cloud Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Begin by creating a new project. You can also select an existing one as the active project and skip to c.Enable Google APIs directly.

  • Go to the Projects page in the Google Cloud Console.

    Tip: This page can be opened by either clicking the above link or selecting IAM & admin > Manage resources in the navigation menu. The navigation menu slides out from the left of the screen when you click the main menu icon in the upper left corner of the page.


  • In the New Project page, enter CubeBackup as the project name and click CREATE.

    You can leave the Location and Organisation fields unchanged. They have no effect on this project.

  • The creation of the project may take one or two minutes. After the project has been created, click the newly created project in the Notifications dialog to make it the active project in your dashboard (you can also select your newly created project in the project drop-down list at the top of the page to make it the active project).

    Active Project

    Note: Please make sure this project is the currently active project in your console before continuing!

c. Enable Google APIs.

  • Now open the API Library page by selecting APIs & services > Library from the navigation menu.
  • Search for Google Drive API, then on the Google Drive API page, click ENABLE (Any "Create Credentials" warning message can be ignored, because service account credentials will be created in the next step).
  • Next, go back to the API Library page and follow the same steps to enable Google Calendar API, Gmail API, Admin SDK API, and Google People API.

    To check whether all necessary APIs have been enabled, please select APIs & Services > Dashboard from the navigation menu, and make sure Admin SDK API, Gmail API, Google Calendar API, Google Drive API and People API are all included in the API list.

d. Create a Service account.

  • Select IAM & Admin > Service Accounts in the navigation menu.
  • In the Service account details step, enter a name for the service account (e.g., cubebackup) and click CREATE AND CONTINUE.
  • In the second step, select "Basic" > "Owner" (or "Project" > "Owner") as the Role, then click CONTINUE.
  • Click DONE directly in the Grant users access to this service account step.
  • On the Service accounts page, click directly on the service account you just created (Don't just check the box, click the email link). This should take you to the Service account details page.
  • Select the KEYS tab of the service account.
  • Click ADD KEY > Create new key.
  • Select JSON as the key type, then click CREATE.
  • Close the dialog that pops up and save the generated JSON key file locally.

Step 2. Authorize the service account in the Google Admin console.

After creating a Google service account, the created service account needs to be authorized to access your Google Workspace data through Google APIs. Please follow the instructions below or watch the demo.

All operations in this step must be performed by an administrator of your Google Workspace domain.

  • Open the service account JSON key file using a text editor and copy the value of the client_id field. service account client id
  • Sign in to the Google Admin console using an administrator account in your domain.
  • From the main menu in the top-left corner, select Security > Access and data control > API controls.
  • Click MANAGE DOMAIN WIDE DELEGATION in the "Domain wide delegation" section.
  • In the Domain-wide Delegation page, click Add new.
  • In the Client ID field, enter the service account's Client ID copied from the service account key file.
  • In the OAuth Scopes field, copy and paste this list of scopes:,,,,,,, 
  • Click AUTHORIZE. Google Workspace Domain Authorization

  • If the CubeBackup instance manages multiple Google Workspaces simultaneously, please repeat the following steps for all domains under your control.

Step 3. Replace the service account key file

  • Rename the newly-generated service account key file as jwt.json.
  • Replace the service account key file <installation directory>/db/jwt.json on the CubeBackup server with the newly-created one.

    By default, the installation directory is C:\Program Files\CubeBackup4 on Windows, and /opt/cubebackup on Linux.

Step 4. Restart the CubeBackup service

On Linux:

 sudo /opt/cubebackup/bin/cbsrv restart

On Windows: Open the Command Prompt or Windows PowerShell and run this command as Administrator

"C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart

In Docker container:

 sudo docker restart <container-name>

Step 5. Confirm that everything is operating correctly

CubeBackup should now work with the new service account. You should perform a test restore and backup to confirm that everything is operating correctly.

If you need additional assistance, please do not hesitate to contact [email protected].