Connect your Google Cloud Platform project and Google Workspace to Capsule Security for complete visibility into your organization's Gemini Enterprise AI agents, conversations, and usage.
This integration connects to your Google Cloud Platform project and Google Workspace to provide complete visibility into your organization's Gemini Enterprise AI agents, user conversations, and usage patterns. The integration automatically discovers and syncs shared organizational agents, personal user agents, conversation sessions, and associated data sources.
Before you begin, ensure you have:
- Google Cloud Platform project with Gemini Enterprise (Discovery Engine) configured
- Google Workspace domain associated with the project
- Editor or Owner role on the GCP project
- Required to enable APIs during installation
- Required to grant IAM permissions to Capsule's service account
- Google Workspace Admin access
- Required to configure domain-wide delegation
- Must be Super Admin or have delegated admin permissions for API access
The installation process consists of two main steps:
- Configure Domain-Wide Delegation (Google Workspace Admin Console) — This can be done in advance as a prerequisite
- Connect via Capsule Portal (OAuth authorization) — Automated setup that enables APIs and grants permissions
Domain-wide delegation allows Capsule's service account to access Google Workspace data on behalf of users in your organization. This step can be completed in advance before installing the integration in Capsule.
Capsule needs to:
- List users in your Google Workspace to discover who has Gemini Enterprise access
- Fetch session data for all users to provide complete visibility
- Access Discovery Engine resources across your organization
You must be signed in as a Super Admin or have delegated admin privileges for API access
Click Add new in the Domain-wide delegation section
Complete the configuration form:
Client ID: Copy this from the Capsule portal installation card (Step 1 shows the Client ID with a copy button)
OAuth Scopes (copy and paste exactly):
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloud-platformScope descriptions:
admin.directory.user.readonly— Read-only access to list Google Workspace userscloud-platform— Access to Google Cloud Platform resources (Discovery Engine sessions)
Click Authorize
Wait 10-15 minutes for the changes to propagate across Google's systems
After waiting for propagation, verify the configuration:
In Google Workspace Admin Console, go back to Domain-wide delegation
Find the entry for Capsule's service account (search for the Client ID)
Verify the OAuth scopes are exactly:
https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/cloud-platformEnsure the status shows as Authorized
After configuring domain-wide delegation, connect the integration through the Capsule portal.
During the OAuth connection flow, Capsule will automatically:
✅ Enable required Google Cloud APIs in your project:
- Discovery Engine API (
discoveryengine.googleapis.com) - Admin SDK API (
admin.googleapis.com) - Compute Engine API (
compute.googleapis.com)
✅ Grant IAM permissions to Capsule's service account:
Discovery Engine Viewerrole (roles/discoveryengine.viewer)Compute Viewerrole (roles/compute.viewer)
✅ Validate configuration:
- Verify project access
- Confirm Google Workspace domain matches your account
Go to Integrations in the Capsule portal
Find Google Gemini Enterprise and click Install
Complete the installation form:
- Google Workspace Domain: Enter your organization's workspace domain (e.g.,
example.com)- This should match the domain of Google Workspace accounts that use Gemini Enterprise
- Project ID: Enter your Google Cloud project ID where Gemini Enterprise is configured
- Find this in Google Cloud Console under Project Info
- Google Workspace Domain: Enter your organization's workspace domain (e.g.,
Click Connect to begin OAuth authorization
Sign in with Google using an account that has:
- Email address from the workspace domain you entered
- Editor or Owner role on the GCP project
Review and authorize the requested permissions:
- View and manage data across Google Cloud services
- See your primary Google Account email address
- See your personal info, including any personal info you've made publicly available
After authorization, Capsule will automatically:
- Enable Discovery Engine, Admin SDK, and Compute Engine APIs
- Grant
Discovery Engine ViewerandCompute Viewerpermissions to Capsule's service account - Validate your project and workspace configuration
If you haven't completed Step 1 yet, use the Client ID shown in the installation card above to configure domain-wide delegation in Google Workspace Admin Console
The integration status should now show as Connected
After completing the integration setup, verify that data is syncing correctly.
Capsule will automatically begin the first data sync
Initial sync will take some time depending on:
- Number of regions where engines are deployed
- Number of users in your workspace
- Volume of historical session data
Once complete, you'll see:
- Agents listed in the Inventory section
- Sessions visible in the Observability section
- User activity in the Users view
Cause: OAuth authorization code was used multiple times or expired
Solution:
- Click Try Again in the error message
- Complete the OAuth flow again without delays
- Don't refresh or navigate away during authorization
Cause: Your Google account doesn't have sufficient permissions on the GCP project
Solution:
- Verify you have Editor or Owner role on the project
- Check in Google Cloud Console → IAM & Admin → IAM
- Ask a project admin to grant you the necessary role
Cause: Your Google account's email domain doesn't match the workspace domain you entered
Solution:
- Verify you're using a Google account from the correct workspace domain
- The account email (e.g.,
user@example.com) must match the workspace domain (e.g.,example.com) - Don't use personal Gmail accounts or accounts from other organizations
Possible causes:
Domain-wide delegation not configured (most common)
- Verify Step 1 was completed correctly
- Check the Client ID matches exactly
- Ensure OAuth scopes are correct
- Wait 10-15 minutes for propagation
No Gemini Enterprise usage in the project
- Verify engines exist in your GCP project
- Check Discovery Engine Console
- Ensure users have created sessions
Service account permission issue
- Verify
Discovery Engine ViewerandCompute Viewerroles were granted during installation - Check IAM page for the Capsule service account
- Re-run installation if permissions are missing
- Verify
Cause: Domain-wide delegation configuration issue
Solution:
- Go to Domain-wide delegation
- Find Capsule's service account entry
- Verify OAuth scopes are exactly:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloud-platform - If scopes are incorrect, click Edit and update them
- Click Authorize again
- Wait 10-15 minutes for propagation
- Manually trigger a sync from Capsule integration settings
Capsule accesses only the data necessary for compliance monitoring:
- Read-only access: Cannot modify or delete agents, sessions, or configurations
- Scoped to project: Only accesses the specific GCP project you configured
- Workspace users only: Only lists users from your Google Workspace domain
- Session data: Conversation logs for audit and compliance purposes
- OAuth 2.0: Industry-standard authorization protocol
- Service account: Dedicated account for Capsule's integration (no shared credentials)
- Domain-wide delegation: Explicit authorization by Workspace admins
- No stored passwords: Uses token-based authentication
Need help with the integration?
- Documentation: docs.capsule.security
- Email Support: support@capsule.security
When contacting support, please include:
- Your Google Cloud Project ID
- Screenshots of any error messages
- Timestamp when the issue occurred