# Domain-Wide Delegation Setup for Google Sheets Integration

**Last Updated:** 2026-03-08

## Problem

Service accounts have their own storage quota (often 0 bytes), and files created by service accounts count against the **service account's quota**, not the folder owner's quota. This causes "storage quota exceeded" errors even when creating files in user-owned folders.

## Solution: Domain-Wide Delegation

Domain-Wide Delegation allows the service account to impersonate a user account, so files count against the user's quota instead of the service account's quota.

## Prerequisites

- Google Workspace account (required for domain-wide delegation)
- Admin access to Google Workspace Admin Console
- Service account with domain-wide delegation enabled

## Setup Steps

### 1. Enable Domain-Wide Delegation in GCP

1. Go to [Google Cloud Console](https://console.cloud.google.com/)
2. Navigate to "IAM & Admin" > "Service Accounts"
3. Find: `ordio-seo-analytics@ordio-472310.iam.gserviceaccount.com`
4. Click "Edit"
5. Check "Enable Google Workspace Domain-wide Delegation"
6. Note the "Client ID" (you'll need this)

### 2. Authorize Scopes in Google Workspace Admin

1. Go to [Google Workspace Admin Console](https://admin.google.com/)
2. Navigate to "Security" > "API Controls" > "Domain-wide Delegation"
3. Click "Add new"
4. Enter the Client ID from step 1
5. Add OAuth scopes:
   ```
   https://www.googleapis.com/auth/spreadsheets
   https://www.googleapis.com/auth/drive
   https://www.googleapis.com/auth/drive.file
   ```
6. Click "Authorize"

### 3. Update Code to Use Impersonation

Update `v2/config/google-api-credentials.php` to add impersonation support:

```php
function getGoogleSheetsAPIClientWithImpersonation($userEmail) {
    $client = getGoogleAPIClientWithScopes([
        'https://www.googleapis.com/auth/spreadsheets',
        'https://www.googleapis.com/auth/drive.file',
        'https://www.googleapis.com/auth/drive',
    ]);
    
    if ($client !== false) {
        // Set subject (user to impersonate)
        $client->setSubject($userEmail);
    }
    
    return $client;
}
```

### 4. Update Generator to Use Impersonation

Update `v2/systems/excel-template-generator/helpers/google-sheets-generator.php`:

```php
// In constructor, use impersonation
$this->client = getGoogleSheetsAPIClientWithImpersonation('hady@ordio.com');
```

## Alternative: OAuth 2.0 User Authentication

If domain-wide delegation isn't available, use OAuth 2.0 user authentication instead:

1. Create OAuth 2.0 credentials (not service account)
2. Implement OAuth flow to get user access token
3. Use user's access token instead of service account

## Current Workaround

Until domain-wide delegation is set up, templates can be created manually or the service account quota issue needs to be resolved with Google support.

## References

- [Domain-wide delegation documentation](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
- [Google Workspace Admin API Controls](https://admin.google.com/ac/owl)