Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
The Google Drive MCP server lets you govern access to Google Drive — files, folders, shared drives, permissions, comments, and revisions — as tools your AI clients can call through C1. Google Drive supports two ways to authenticate, and you choose one when you register the server:
  • Per-user OAuth (recommended). Each person authorizes with their own Google account, so every tool call runs under that user’s Drive identity and permissions.
  • Service account (Workspace only). A single Google service account with domain-wide delegation authenticates everyone, so all tool calls reach Drive as one shared identity.
For a deeper comparison of shared versus per-user credentials, see Configure authentication.

How C1 connects to Google Drive

C1 hosts the Google Drive MCP server, so your users’ AI clients only ever see MCP tools — they never call Google Drive directly. When an AI client calls one of these tools, C1 makes the matching request to the Google Drive API using the credentials you configure here, then returns the result to the AI client. The credentials you set up below are what C1 uses to call Google Drive on your users’ behalf.

Before you begin

  • AI access management must be enabled for your tenant. See Enable AI access management.
  • A Google Cloud project where you can enable the Google Drive API and create credentials.
  • For the service-account option, a Google Workspace administrator to set up domain-wide delegation.
If you don’t see Google Drive in your MCP server catalog, contact the C1 support team to enable it for your tenant.

Option 1: Set up per-user OAuth

With per-user OAuth, you register one Google OAuth client and each user authorizes individually. This keeps every action attributable to the user who took it, with only the access that user already has in Drive.

Create a Google OAuth client

Create an OAuth client in your Google Cloud project so users can authorize C1 with their own Google accounts.
1
Sign in to the Google Cloud console and create or select a project for C1.
2
Go to APIs & Services > Library, search for Google Drive API, and select Enable.
3
Go to APIs & Services > OAuth consent screen. Choose Internal for a Workspace-only app or External for any Google account, and add the Drive scopes your deployment needs. Broad Drive scopes are restricted and require Google verification before an External app can be used outside your Workspace organization.
4
Go to APIs & Services > Credentials > Create Client > Web application. For full details, see Google’s Manage OAuth Clients documentation.
5
Under Authorized redirect URIs, add exactly https://accounts.conductor.one/auth/callback.
6
Select Create, then copy the Client ID and Client secret. Google shows the client secret only once.
For least privilege, request only the scopes you need. Read-only deployments can use drive.readonly and drive.metadata.readonly. If your users are on Google Workspace, a Workspace administrator may need to allow the OAuth client in Admin Console > Security > Access and data control > API controls > App access control.

Register the server with OAuth

With your OAuth client ready, register the server and provide its credentials.
1
Follow Register an MCP server and select Google Drive from the catalog.
2
When you configure authentication, choose per-user OAuth and enter your OAuth client’s client ID and client secret, plus the scopes you configured.
3
Save your changes. The first time a user calls a Google Drive tool from their AI client, they’re prompted to connect their Google account.

Option 2: Use a service account (Workspace only)

A Google service account with domain-wide delegation authenticates every user as one shared identity. C1 signs a JWT with the service account’s key to obtain access tokens. Use this for Workspace tenants that want C1 to reach Drive without per-user consent.

Create a service account and grant delegation

Create a service account, then grant it domain-wide delegation so it can act on behalf of your users.
1
In the Google Cloud console, go to APIs & Services > Library and enable the Google Drive API for your project.
2
Go to APIs & Services > Credentials > Create credentials > Service account, create the service account, then generate and download a JSON key. For full details, see Google’s Create service accounts documentation.
3
Note the service account’s Unique ID (numeric).
4
As a Workspace administrator, go to Admin Console > Security > Access and data control > API controls > Domain-wide delegation, select Add new, and enter the service account’s Unique ID along with the Drive scopes you need. For least privilege, grant narrow scopes such as drive.readonly and drive.metadata.readonly.

Register the server with a service account

With your service account ready, register the server and provide its key.
1
Follow Register an MCP server and select Google Drive from the catalog.
2
When you configure authentication, choose OAuth2 — JWT bearer and provide the service account’s JSON key and the scopes you delegated.
3
Save your changes. C1 starts a sync that discovers the tools the Google Drive server exposes.

How Google Drive credentials are shared

How Google Drive sees your users’ activity depends on the method you chose:
  • Per-user OAuth. Each user authorizes with their own Google account, so tool calls run under that user’s Drive identity and inherit only the access they already have. Google attributes each action to the individual user.
  • Service account. Every user’s tool calls use the one service account you configured, so Drive sees a single shared identity. C1 still attributes each call to the individual user in the AI tool usage audit log.
For how shared and per-user credentials work across MCP servers, see Configure authentication.

Discover and govern tools

After you register the server, C1 runs tool discovery against Google Drive. Discovered tools appear on the server’s Tools tab. Each tool starts as either Pending review or automatically Approved, depending on the option chosen when the server was set up or your tenant’s default tool settings in Settings > AI Connections. See Require tool approval and Default tool classification. Before anyone can call a Google Drive tool, it must be approved, added to a toolset, and bound to an access profile. Continue to Govern tools and toolsets to set this up.
Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn’t confirm that authentication is working. You confirm your Google Drive credentials when an approved user successfully calls a Google Drive tool from their AI client.

Manage your Google Drive credentials

  • Rotate the OAuth client secret in your Google Cloud project under APIs & Services > Credentials, then update the secret on the server’s authentication settings in C1.
  • Rotate the service account key by generating a new JSON key in the Cloud Console, updating it in C1, then deleting the old key.
  • Adjust access by editing the OAuth client’s scopes, or the scopes granted to the service account in domain-wide delegation.