Overview

This Action programmatically exports the decrypted contents of SendSafely packages to a Google Drive folder. It can be triggered when a package is finalized or when a file is uploaded to a Workspace.

To request the template for this Action, please reach out to your SendSafely account rep.

Please note that this Action requires access to the contents of SendSafely packages, and thus must be configured with a Portal Master Key or Trusted Device Key.

Setup Instructions

1. Set Up the Google Drive Service Account

The Lambda for this Action authenticates to Google Drive as a service account, and requires a Shared Drive.

Note: This is because service accounts have no personal Drive storage quota, so uploads to a regular folder will fail with a storageQuotaExceeded error regardless of sharing permissions. In a Shared Drive, however, files are owned by the Drive itself, and storage is billed to the Workspace organization, so quota is not an issue.

Create or select a Google Cloud project

1. Go to the Google Cloud Console.
2. Create a new project or select an existing one.

Enable the Google Drive API

1. Navigate to APIs & Services → Library.
2. Search for Google Drive API and click Enable.

Create a Service Account

1. Navigate to IAM & Admin → Service Accounts.
2. Click Create Service Account, give it a name (e.g., lambda-drive-uploader), and click Done.

You don't need to grant any project-level IAM role. Drive access comes from adding the service account to the Shared Drive directly.

Create a Service Account JSON Key

1. Click the service account, then navigate to the Keys tab.
2. Click Add Key → Create new key → JSON and download the file.
3. Keep this JSON file secure. You'll paste its contents into Secrets Manager in Step 4.

Create the destination folder in Google Drive

1. Right-click the Shared Drive and select Manage members.
2. Paste the service account email (the client_email field from the JSON key file), set the role to Content Manager, and click Done.
3. Within the Shared Drive, create a new folder (e.g., SendSafely Exports).
4. Copy the Folder ID from the URL: https://drive.google.com/drive/folders/<Folder ID>

Note: You only need to complete this step once. The same service account can be reused across multiple deployments.

2. Deploy the Lambda

To deploy the Lambda, you'll need the following permissions in AWS:

• Create a new Lambda Function
• Create a new AWS Secret (AWS Secrets Manager)
• Define a custom IAM Role for the Lambda function

Follow these steps:

1. In AWS, navigate to CloudFormation and click Create stack, then select "With new resources (standard)" from the dropdown.
2. Under Template source, select "Upload a template file," then click Choose file and select the YAML file provided by your SendSafely account rep.
3. Click Next. Name the stack, e.g., "SaveToGoogleDrive," then click Next.
4. Click the three checkboxes at the bottom of the page, then click Next.
5. Click Submit.
6. Wait for the Stack's status to change from "CREATE_IN_PROGRESS" to "CREATE_COMPLETE."

3. Enable Secure Message Export (Optional)

By default, only file attachments are exported to Google Drive. To also export a secure message from a package as a .txt file within the package folder, set the Lambda environment variable ENABLE_SECURE_MESSAGE_EXPORT to true.

4. Update Secrets Manager

We'll update the <stack-name>_Google_Drive_Export_Config Secret generated by this deployment. Click on this Secret in Secrets Manager, click Retrieve secret value, and click Edit. Provide the following secret values:

• ss-host
• ss-api-key
• ss-api-secret
• pk-<ss-public-key-id>. Note that you must update the Name of this secret to replace the text <ss-public-key-id> with the actual public key ID of your Master Key (the SendSafely Support team will provide you this ID when you submit them the public key). You must update the Value of this secret with the full text of the private key, including the opening and closing tags:

-----BEGIN PGP PRIVATE KEY BLOCK-----
-----END PGP PRIVATE KEY BLOCK-----

• gdrive-service-account-json — paste the entire contents of the service account JSON key file downloaded in Step 1.
• gdrive-folder-id — paste the Folder ID copied in Step 1.

For now, leave the action-secret-id entries as-is and click Save. We'll populate them in Step 8.

5. Create a new Workflow

As an admin logged into your SendSafely portal, click the circle containing your initials in the top-right corner of the screen and select SendSafely Actions. Here, click New Workflow.

6. Choose the trigger event

Two trigger events are applicable to this Action: "A file is uploaded to a Workspace" or "A package is finalized." If you wish to perform this Action on both events, you'll need to go through this process twice, setting up one Workflow for each event.

7. Decide whether this Workflow will apply to a specific user's packages (Optional)

This Workflow, by default, will apply to all packages portal-wide. To limit its scope to packages owned by a specific user:

1. Click the plus button and select Add an Event Filter.
2. From the Criteria dropdown, select Package Owner Email.
3. From the Operator dropdown, select equals.
4. In the Value input, type the email of the user in question and click Save.

8. Add the Actions

Three Actions comprise this Workflow. We will add them one at a time.

Action 1.

First, we'll hold the package or file, preventing your recipients from deleting it.

1. Click the plus button and select Add an Action.
2. From the Action dropdown, select Hold Package (or, if the trigger event is "A file is uploaded to a Workspace," Hold File).
3. From the Notification dropdown, select Notify on Error or Timeout.

Action 2.

Next, we'll invoke the webhook of the Lambda, which will use the Master Key or Trusted Device Key to decrypt the package or file's contents, upload them to Google Drive, and return a verdict indicating success or failure.

1. Click the plus button and select Add another Action.
2. From the Action dropdown, select Invoke an External Webhook.
3. From the Notification dropdown, select Notify on False, or Timeout.
4. Retrieve the WebhookUrl from the Outputs tab of the relevant Stack in CloudFormation, then paste it into the input in SendSafely and click Save.
5. Click the text that says "Click here to view the action secret," then click Copy.
6. In AWS Secrets Manager, click into the <stack-name>_Google_Drive_Export_Config Secret.
7. Click Retrieve secret value, then click Edit.
8. Paste the action secret into the value for action-secret-id-<actionId-finalize-package> (if the trigger event was "A package is finalized") or for action-secret-id-<actionId-workspace-upload> (if the trigger event was "A file is uploaded to a Workspace"), then click Save.

Action 3.

Last, we'll release the package or file, allowing its deletion.

1. Click the plus button and select Add another Action.
2. From the Action dropdown, select Release Package (or, if the trigger event is "A file is uploaded to a Workspace," Release File).
3. From the Notification dropdown, select Notify on Error or Timeout.

Add Action Filter.

We'll now add an Action Filter to this 3rd Action, so that it only runs if the 2nd Action succeeds. Packages successfully exported to Google Drive will be released, whereas packages whose export failed will remain held.

1. Click Add Action Filter.
2. From the Criteria dropdown, select Action Step 2 Result.
3. From the Operator dropdown, select Equals.
4. From the Value dropdown, select True.

9. Activate the Workflow

At the top of the page, click the toggle next to the text "Disabled" to enable the Action. The text will change from "Disabled" to "Live."

10. Test the Workflow

Now that we've activated the Workflow, let's trigger it. If the triggering event is "A package is finalized," we'll make a Dropzone submission or create a Transfer package. If the triggering event is "A file is uploaded to a Workspace," we'll upload a file to a Workspace.

If the package or file that triggered the Action is not successfully exported to Google Drive, it will remain held. If the export succeeds, the package or file will be released. In your Google Drive destination folder, you will see a new subfolder named after the packageId, containing the decrypted, exported files.