Google Apps Manager (GAM) is a powerful command-line tool designed to simplify the management of Google Workspace installations. Leveraging Google-supplied APIs, GAM provides administrators with a robust and flexible means of managing domain and user settings. GAM is an open-source project.
Its ability to perform bulk operations efficiently makes it an indispensable utility for administrators managing complex Google Workspace environments. GAM empowers users to handle a variety of tasks with ease, from updating user profiles to configuring domain-wide settings. The latest iteration, GAM7, continues this legacy, offering enhanced features and usability for administrators looking to manage their domains effectively and efficiently. For more information, including installation and usage guidelines, visit the GAM project documentation.
At Cloud Sultans, our mission is to help small and large businesses better collaborate and achieve high productivity with their teams by maximizing the power of Google Workspace (formerly G Suite). Let’s dive into how to install GAM Tool for your Google Workspace platform.
Prerequisites
- Log in with a Google Workspace Super admin account and try to avoid having multiple logins in a single browser session
- Create the GCP account (if not done previously) and complete the usual GCP Access procedure if you are logging in for the first time. Log in to the GCP Console at https://console.cloud.google.com/ to make sure it is accessible.
- Make sure that Google Cloud Shell is accessible at https://shell.cloud.google.com/
- Keep the GAM GitHub project accessible at https://github.com/GAM-team/GAM
Advantages of installing the GAM tool using Google Cloud Shell
You can install the GAM tool on Windows, Mac, or Linux systems, and having the GAM installed with Google Cloud Shell allows Admins to access Shell with any browser on any system as Shell runs in GCP Cloud for Free!
The GAM tool has a script that creates the GCP project automatically, and most of the settings on GCP Project are automatically configured with the GAM script that we are reviewing in the next steps.
How to install the GAM tool using Google Cloud Shell?
As a best practice, we will highly recommend making sure that you have followed the prerequisites mentioned above that will allow you to install the GAM tool seamlessly in Google Cloud Shell.
Copy the following command and paste it into the Shell Terminal.
bash <(curl -s -S -L https://gam-shortn.appspot.com/gam-install)This is to download, install, and start the GAM configuration in the Shell Terminal. You can access the GAM GitHub Project using this URL – https://github.com/GAM-team/GAM, and if required, check the above command under the “Quick Start” heading in the “Linux / MacOS” section.
Once you paste the command into the terminal, hit the “Enter” button to execute the command, and it will start downloading & installing the GAM tool to the shell. Following is the reference image.
After the installation, you should be asked the following question
Can you run a full browser on this machine?Your answer should be no, and you can reply with “n” and then press the Enter button on your keyboard for the next steps. (Note: Answer can be yes by replying “y” if you are using a Mac OS machine. In our case, we will reply with “n” as we are using Shell.)
Can you run a full browser on this machine? n
Now the GAM tool installation is initiated, and it will ask if we can continue with GCP Project Creation. The next question in the terminal should be something like below, and you can reply to it by saying “Yes” and then pressing Enter for the next instructions.
GAM is now installed. Are you ready to set up a Google API Project for GAM? (yes or no) yes
Before the actual GCP Project creation starts, it will ask to provide the Super Admin email address for the Google Workspace instance that you are using to install the GAM tool, just enter the Super Admin email address and press the Enter button. In our case are using demo@gswift-cloud.com as the Super Admin email address for the GAM installation.
Please enter your Google Workspace admin email address: demo@gswift-cloud.com
In the next step, the GAM tool will ask to whitelist the “GAM Project Creation” app by adding the Client ID provided in the terminal. You also need to ensure that the “GAM Project Creation” app is marked as “Trusted”. This is to allow the GAM tool to create a GCP Project automatically and manage it.
In the terminal interface, you will find the detailed instructions to whitelist the “GAM Project Creation” app in the Google Workspace Admin Console using the Client ID provided in the terminal.
Once you have followed the steps mentioned and marked the “GAM Project Creation” app as “Trusted” in Google Workspace Admin Console, visit the terminal tab in your browser and simply press the “Enter” button for the next steps. Now, the terminal will prompt you to authorize the “GAM Project Creation” app with your Google Workspace Super Admin account (demo@gwift-cloud.com).
It is requesting to open the link to initiate the authorization process. The link will ask for GCP access, and you need to click on the allow option so that the “GAM Project Creation” app is connected & authorized with your Super Admin account and can create a GCP Project automatically.
One important thing to notice here is that as soon as you allow access, it will end up with an error “This site can’t be reached,” and it is expected behavior.
Now you need to copy the URL from the error page and paste it into the terminal and execute it for the next steps.
Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to 6scope required): paste url hereThe terminal interface should provide you with the confirmation that “The authentication flow has been completed” and then GAM will automatically start creating the GCP Project, enabling required APIs, etc. The following is a reference screenshot.
Once GAM finishes the process of GCP Project creation and API Activation, you will be requested to create the OAuth 2.0 Client ID and generate the “Client ID” and “Client Secret”. In this stage, you need to carefully follow the instructions mentioned in the terminal and perform these actions on the recently created GCP Project.
Before the instructions, the GCP Project link should be given, which will allow you to redirect to the correct GCP Configuration page and follow the steps from the terminal.
Once you have followed the steps, you will have a Client ID and Secret generated for your GCP Project. Now you need to provide the “Client ID” to the GAM by pasting it into the terminal.
Right after providing the client ID, you need to provide the client secret and proceed with the next execution.
Now you need to whitelist the “GAM Client ID” in your Google Workspace Admin Console. It is a similar process that you previously followed while whitelisting the “GAM Project Creation” app, but this time, you need to whitelist the “GAM Client ID”.
Once you finish whitelisting the GAM Client ID, you need to press the Enter button for GAM to execute the next steps. Now it should prompt you that “Project Creation Complete.” and then it will ask the following question that you need to reply with “yes”.
Are you ready to authorize GAM to perform Google Workspace management operations as your admin account? (yes no) yes
The Shell terminal will now list the APIs that will be used and authorized with the GAM tool using a Super Admin account. It will ask you to confirm before it continues, and we should continue with the default selected APIs and proceed further by simply replying with “c” and then hitting the Enter button.
Please enter 0-53 [ a | r ] or s | u | e | c : c
Now the terminal will ask to open a link and authorize it. This is to generate the Client OAuth file and save it to the GAM Folder located in Google Cloud Shell. The given URL will ask you to allow the GAM to grant access to the requested permissions, and as soon as you click on “Allow”, as experienced previously, the page will show an error that “This site can’t be reached“. Again, you need to copy the URL from the error page and paste it into the terminal and execute it for the next steps.
Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required): paste url here
We are reaching to few of the final steps to complete the configurations. The GAM tool will ask you to confirm authorizing the GAM with our Google Workspace environment. Technically, we are about to grant the “domain-wide delegation” access to the GAM tool so GAM tool can perform the task. It may ask the following question, and you should reply with “yes” and proceed further for the next steps.
Are you ready to authorize GAM to manage Google Workspace user data and settings? (yes or no) yes
Now, you have to provide a domain user account address; it can be a normal user account address from your domain, or you can even use the super admin account.
Please enter the email address of a regualr Google Wokspae user: demo@gswift-cloud.com
As soon as you execute the last command, the terminal will automatically start checking the service account scopes, and in the first attempt, it will provide the FAIL results for all checks. It is an expected behavior because we haven’t granted the domain-wide delegation to our GAM with those scopes yet.
After the failed results, you may notice that GAM has provided a link that will automatically redirect to the Google Workspace Domain Wide Delegation page, where you can whitelist the GAM Client ID with all necessary scopes.
As soon as you click on that link, it will open the domain-wide delegation page with all the information filled in the textbox with their scopes. You now just need to click on the “Authorize” button to authorize those scopes/permissions for the GAM tool.
Once the authorization is completed, you must wait for 5-10 minutes, as changes may not have been propagated. After 5-10 minutes, you can try authorizing it again by responding “yes” to the same question. After successful authorization, it should show PASS results for all checks. Just in case the results show FAIL, please wait for another 5 minutes and try again.
Are you ready to authorize GAM to manage Google Workspace user data and settings? (yes or no) yes
Upon successful attempt, you will get the confirmation that GAM is successfully installed.
You must copy the last command from terminal and paste it again in terminal and execute it to start using the GAM Tool. In our case, the command looks like below one:
alias gam='/home/demo/bin/gam7/gam"
Test the GAM Tool with a simple command
Now you can finally start running the GAM commands, I am running the following command to test the GAM tool.
gam info domain
GAM Command References
- https://github.com/GAM-team/GAM/wiki/Addresses
- https://sites.google.com/view/gam–commands/people
Any questions, comments, or reactions about our article? We’re happy to hear them in the comment section below. We always love diving into healthy discussions. If you feel you haven’t been using Google Workspace at its best, reach us at Cloud Sultans: contact@cloudsultans.com.
