I need a service account for e2e tests in order to simulate the signup-flow (sending email with initial password etc). however, as far as I am aware, gmail as a service is managed on the level of the company/billing account and not of individual GCP projects (dev, staging, production). Meaning, if I give roles/gmail.readonly to a service account, it could read private emails of all the production customers. What ways are there to restrict the access so developers and potential hackers with access to the service account cannot read private emails of real humans but only of technical e2e-users?
service accounts only work with Gmail if you configure domain wide delegation. its going to any user on the domain.
If its a valid user on the domain you can delegate as it there is no way to limit it to just a single user. Hence the term "domain wide"
delegated_credentials = credentials.with_subject(user_email)