google-cloud-platformauthorizationservice-accountsorganizational-unit

Limiting the access to Google Cloud Platform Service Account to specific Gmail Accounts


I have recently made a program that listens to a PUB/SUB topic that is connected to a Gmail account. I have it all working fine. When a push notification arrives it will do different tasks based on the message content.

The problem is that I use a Service Account to connect to all the API's on Google Cloud Platform that I need. The Service Account allows access to ALL of our Gmail accounts in our organization. I need to somehow limit the access to a specific Gmail account.

The closest I could find to this issue was this question Impersonating list of users with Google Service Account. However, the only solution presented there was to turn my project into a marketplace app which I do not want to do.

I have tried setting up an Organizational Unit and trying to limit the scope to that somehow, but there seems to be know way (that I can find) to do it. I did try speak with Google Cloud Platform help but they didn't know the answer as it didn't quite fall under their area of expertise and referred me on to another help group, but I'm not eligible for them because I don't pay for support.

Edit: It doesn't actually appear that what I want to do is possible. I'll be going back to an OAuth2 method of authentication.


Solution

  • Understanding service accounts explains the possibilities:

    Service accounts can be thought of as both a resource and as an identity.

    • When thinking of the service account as an identity, you can grant a role to a service account, allowing it to access a resource (such as a project).

    • When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.

    Now try to fit that impracticable intent into there ...

    If you need to limit the access of the service account to user-specific resources, this can only be done on the application level, not the system level - since a service account can impersonate just any user identity; eg. in order not to mess up the ownership, when uploading files on behalf of a user. If you want 1 user identity to access 1 user-specific resource, why even use a service account? And when using a service account, why not just impersonate as the correct identity? This could even be hard-coded, if it's only 1 user identity. But nevertheless, it can only be done on the application level - but cannot be configured for the service account itself.