Table of contents > Initial configuration

CubeBackup uses Google’s OAuth 2.0 for authorization. To authorize domain-wide data access for a desktop application, an OAuth 2.0 Service account must be employed. Please follow the steps below carefully.

You can find more information about OAuth 2.0 Service accounts here: Using OAuth 2.0 for Server to Server Applications.

Step 1: Input G Suite domain information.

Enter your G Suite domain name and the corresponding administrator account, then click Next.

Step 2: Service account setup.

Based on Google's security policy, third party Apps can only be authorized to access G Suite data through OAuth2.0.

To create an OAuth 2.0 service account:

1. Log in to Google Developers Console .
Google Developers Console does not require an administrator account. A personal Google account, such as myname@mycompany.com, or myname@gmail.com is just fine.

2. Create a new project named "CubeBackup".
Google Developers Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Now begin by creating a new project.

  • Go to Projects page in Google Developers Console. This page can be opened by either clicking this link or selecting IAM & admin -> Manage resources in the main menu.
    Note: The main menu slides out from the left of the screen when you click the icon in the upper left corner of the page.
  • Click CREATE PROJECT.
  • In the New Project page, enter "CubeBackup" as the project name and click CREATE.
    Note: You can leave the Location and Organisation fields unchanged. They have no effect on this project.

3. Enable Google APIs.
The creation of the project may take one or two minutes. After the project has been created, click the newly created project in the project list, and it will become the selected one in your dashboard.
Note: Please make sure this project is the currently active project in your console before continuing! (The name of the currently active project is shown at the upper left corner of the page.)

Now open APIs & services -> Library page from the main menu, select Google Drive API from the G Suite group. On the next page, click ENABLE (If there is any "Create Credentials" message, just ignore it, because service account credentials will be created in the next step). Then go back to Google API Library page, follow the same steps to enable Google Calendar API, Gmail API, Admin SDK, and Contacts API (This API might be located in the Social Group) .

4. Create a Service account.

  • Click IAM & Admin in the main menu.
  • Select the Service accounts in the left panel.
  • Click CREATE SERVICE ACCOUNT.
  • In the Service account details step, enter a name for the service account (e.g., cubebackup), and click CREATE.
  • In the Service account permissions step, select "Project"->"Owner" as the Role, then click CONTINUE.
  • In the Grant users access to this service account step, click +CREATE KEY.
  • Select P12 as the key type, then click CREATE
  • Save the generated ".P12" file locally.
  • Click DONE.
  • In the Service accounts page, click on the service account you just created (Don't just select the service account, click the email link). This should take you to the Service account details page.
  • In the Service account details page, expand SHOW DOMAIN-WIDE DELEGATION, click EDIT, check Enable G Suite Domain-wide Delegation. If you are asked, enter "CubeBackup" as the product name for the consent screen.
  • Click SAVE.
    Note: Keep this page open. The "Unique ID" and "Email" of the Service account will be used in the next step.


5. Enter service account information into CubeBackup Wizard.
Copy and paste the Service Account's unique ID and email address into the CubeBackup wizard. Be sure to include the .P12 key file that was generated earlier. Finally, click "Next".


Step 3: Delegate domain-wide authority to the service account.

The operations in this step must be performed by an administrator of your G Suite domain.

1. Log in to your G Suite domain's Admin console (https://admin.google.com) using a domain administrator account.

2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.

3. Select API reference, and make sure Enable API access is checked.

4. Select Advanced settings and then click Manage API client access in the Authentication section.

5. In the Client Name field enter the service account's unique client ID.
Note: The service account's "Unique ID" (e.g.,104544540989434), NOT its email should be entered here.

6. In the One or More API Scopes field, copy and paste the list of scopes:

https://mail.google.com, https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar, https://www.google.com/m8/feeds, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly

7. Click Authorize.


8. CubeBackup now has the authority to make API calls in your domain. Return to the CubeBackup setup wizard, and click the Test button. If the test is successful, click Next.


Note: If you have carefully followed all instructions, but the Test still failed with the message "G Suite authorization failed! Please check your input and settings", please refer to this post.

Step 4: Select users to backup.

Now you will be prompted to select the user accounts to back up. You may select them all, or any subset, depending on your needs or the storage space available.

Step 5: Additional configuration.

Select which data services to back up. Currently, CubeBackup supports Google Drive, Gmail, Google Calendar, and Google Contacts.
You can also choose the backup interval (daily, every 2 days, weekly, monthly) and schedule the time of day backups will run.
Finally, specify the location for the backup files. Because the data for each G Suite user can be tens of Gigabytes, please ensure there is sufficient disk space available.