With your Service Account you could for example check what Organizational Unit the impersonating account belongs to. You could, for example, implement a check to allow impersonating accounts for a specific Organizational Unit, but all these checks must be done at application level. You are responsible for your Security Account
This means that the service account only has access to data from the account the application is impersonating. The service account only has access to whatever is shared with the account, as per Delegating domain-wide authority to the service account:Īn administrator of the G Suite domain can authorize an application to access user data on behalf of users in the G Suite domain. Maybe I'm not understanding this correctly, but isn't this incredibly permissive and a serious violation of the principle of least privilege? I understand that my application needs to authenticate as the admin account, but is there a way to restrict it to just this account instead of "all users' data on a G Suite domain".
The following note is displayed next to the Enable G Suite Domain-wide Delegation check box on the service account:Īllows this service account to be authorized to access all users' data on a G Suite domain without > manual authorization on their parts. So accessing the Directory API might look something like this: const serviceAccountEmail = privateKey = "-BEGIN PRIVATE KEY-." Ĭonst adminEmail = auth = new ( Let's call it Use the service account to impersonate the admin account when making requests to the API. Enable G Suite Domain-wide Delegation for the service account.Create a service account in the GCP project.Setup a project in the console and enable the desired APIs, such as the Admin SDK API.All the tutorials I've found so far describe the following process:
I'm trying to write a server application, using NodeJS, that accesses the Admin-SDK of our Google Workspaces (G-Suite) account.