User & group provisioning for Google Workspace

This feature is available for the Personal and Enterprise plans.
Google Workspace User & group provisioning is currently in private alpha. Therefore, this topic is currently hidden.
Tailscale’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the Limited Use requirements.

Tailscale supports synchronizing Google Workspace users and groups for use in Tailscale access controls.

Setup

  1. While this feature is in Alpha, contact support to enable synchronizing your Google Workspace users and groups.
  2. Login with a Google Workspace super admin account.
  3. Enable the Admin SDK, which provides the APIs used to sync between Google and Tailscale.
    1. Open https://console.cloud.google.com.
    2. If you do not have a Google Cloud Project, create one.
    3. Search for Admin SDK.
    4. Select Enable.
  4. Add the Tailscale app to your Google Workspace:
    1. Open https://admin.google.com.
    2. Click Security, click Access and data control, click API controls, and then click Manage Third-Party App Access. If you do not see a Security tab, click Show more.
      Click Show more
      Click API controls
    3. Add the app: 923467998409-avhhsu3j9043drh8s798htd48jo27ki8.apps.googleusercontent.com
      Click Manage Third-Party App Access
      Click Add app
  5. Connect Tailscale to your Google Workspace:
    1. Open https://login.tailscale.com as your Google Workspace super user.
    2. Once logged in, directly visit the URL https://login.tailscale.com/googlesync/auth.
    3. Follow the prompt and login to start Google User & Group sync.
If a group is renamed in Google Admin Console, the reference does not rename. You will always use the group email to reference the group in your Tailscale ACL rules.