Google Workspace log source unable to access GSuite API in Panther
Issue
When trying to ingest GSuite logs using the Google Workspace log source, an error appears: "failed GSuite healthcheck: googleapi: Error 401: Access denied. You are not authorized to read activity records., authError".
Resolution
To resolve this issue, create a new Google Workspace log source, including a new OAuth app in Google Workspace, making sure that you're logged into your Google Workspace with an administrator account. If this new log source successfully ingests log events from Google into Panther, then you can remove the old log source. If the new log source fails again, please contact Panther support.
Cause
This issue can occur when the integration is set up using a non-administrator account on the Google side.