Skip to main content
Panther Knowledge Base

Google Workspace log source unable to access GSuite API in Panther

Issue

When trying to ingest GSuite logs using the Google Workspace log source, an error appears: "failed GSuite healthcheck: googleapi: Error 401: Access denied. You are not authorized to read activity records., authError". 

Resolution

To resolve this issue, create a new Google Workspace log source, including a new OAuth app in Google Workspace, making sure that you're logged into your Google Workspace with an administrator account. If this new log source successfully ingests log events from Google into Panther, then you can remove the old log source. If the new log source fails again, please contact Panther support.

Cause

This issue can occur when the integration is set up using a non-administrator account on the Google side.

Note: When switching to an administrator account on the Google side, it's possible that their console is not updating the permissions. If this is the case, please try removing the user and adding them back. The Google console should then be able to update the permissions.