Allow GCloud service account to access specific user's G Suite account?
Question
We have a use case where we need to allow a service account to access a specific user's G Suite account, but not any other user's. Our first approach was domain-wide delegation, but this is of course far too broad - it gave carte-blanche access to all user accounts just by changing the impersonation target, which from a security perspective is not acceptable. And, because this is a server-to-server operation without any UI on top of it, the manual authorization flow is Right Out™ - this has to be achievable either entirely from the G Suite admin panel/GCloud, or by logging in as the user somewhere in the main G Suite.
Is there any way to achieve this? The desired end result is that the service account is able to impersonate one user, but attempting to do so with any other yields a permissions violation.
1 answers
solution1
1 2021-01-22 16:12:07
You can consider a service account as an identity. So you have an email on this identity.
So you have 2 manner to access to the target user:
- Of course, you can grant access to the whole users with domain wide delegation, and it's too dangerous
- Or, the target user can add the service account email as owner of different things (calendar, documents, drive,...)
You can also perform this permission grant with another service account with domain wide delegation.
If summary, no mysteries:
- either you are super admin
- or you are authorized by the user to perform action on they behalf
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.