We have a use case where we need to allow a service account to access a specific user's G Suite account, but not any other user's. Our first approach was domain-wide delegation, but this is of course far too broad - it gave carte-blanche access to all user accounts just by changing the impersonation target, which from a security perspective is not acceptable. And, because this is a server-to-server operation without any UI on top of it, the manual authorization flow is Right Out™ - this has to be achievable either entirely from the G Suite admin panel/GCloud, or by logging in as the user somewhere in the main G Suite.
Is there any way to achieve this? The desired end result is that the service account is able to impersonate one user, but attempting to do so with any other yields a permissions violation.
You can consider a service account as an identity. So you have an email on this identity.
So you have 2 manner to access to the target user:
You can also perform this permission grant with another service account with domain wide delegation.
If summary, no mysteries:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.