1

At first, I'm using service account with delegated credentials executing Apps Script API to run a function on Google Apps Script from a Python script via Google's Python client library, and it just works fine.

I'd like to add some IP restriction for it, to make sure it can only execute by the specific IP.

I have tried to add a firewall rule in VPC, which deny all ingress from 0.0.0.0/0 and set the target to the service account. However, running the script after setting the vpc rule is no different than before it.
The firewall rule seems to only target the VM instance used by the service account.

Is there any better way to set IP restriction for service account?

tehhowch
  • 9,645
  • 4
  • 24
  • 42
rueyjye
  • 11
  • 2
  • 1
    I'm just trying to understand your question... Are you trying to execute a Google Apps script via the Google API client for python? Using this API? https://developers.google.com/apps-script/api/reference/rest/ – ScottMcC Jul 03 '18 at 09:33
  • Sorry about my poor English.. Yes, I 'm trying to execute Google Apps script via Google API client for python an using Apps Script API "run". Like the complete example code at the bottom of this link. https://developers.google.com/api-client-library/python/auth/service-accounts – rueyjye Jul 03 '18 at 09:58

1 Answers1

1

You can't restrict access to APIs based on the requestor IP, only through IAM permissions (with service accounts). Therefore you cannot configure the service account to be used only from a specific IP address.

As mentioned here : β€œis a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user.” I ignore the reason why you are looking to restrict by IP but please keep in mind that the service account uses the private key which should not be shared between environments/users/apps, should be stored in a safe place and must used only in the server(s) running the application.

JC98
  • 604
  • 5
  • 9