Create an alias for a Google Service Account Email?

Question

I've shared a Google Sheet with my Google Service account email, which looks something like:

myappname-service@myappname-266229.iam.gserviceaccount.com

This permits my application to access that Google Sheet.

I'd like to be able to share the Google Sheet with a custom email address (e.g. google@myappname.com) aliased to that ugly autogenerated service account email (myappname-service@myappname-266229.iam.gserviceaccount.com).

How could I go about doing this?

edit:

Example of code used for interacting with Google APIs

from google_auth_httplib2 import AuthorizedHttp
from google.oauth2 import service_account
import pygsheets

def _get_gc():
    scope = ['https://www.googleapis.com/auth/spreadsheets']
    credentials = service_account.Credentials.from_service_account_file(
        settings.GOOGLE_SERVICE_AUTH_FILE,
        scopes=scope,
    )
    http = AuthorizedHttp(credentials, http=HTTP)
    logger.info('Created GC creds, returning...')
    return pygsheets.authorize(custom_credentials=credentials, http=http)


def do_something(url):
    gc = _get_gc()
    spreadsheet = gc.open_by_url(url)

Please add a brief description of your search/research efforts as is suggested in [ask]. — Rubén, Aug 01 '20 at 22:40
There is nothing online about this at all, hence the lack of that information in the question. — Richard, Aug 02 '20 at 09:37
I think that you should research about how sharing files work on Google Drive, Google service accounts, Google Groups an G Suite email aliases. Does this service account was create using G Suite account or Google common account (usually a gmail.com email address)? — Rubén, Aug 02 '20 at 15:17
Only regular accounts can have aliases, not service accounts. You can set what comes before `@` when you're creating the service account, but the domain (what's goes after `@`) depends on your application name, and you cannot create aliases for this. Maybe a workaround could be found if you provided more information on your situation? Why are you using a service account? — Iamblichus, Aug 03 '20 at 11:25
@lamblichus A service account is being used as it's part of a large application which uses the service account creds for all interations with the Google Sheet API — Richard, Aug 03 '20 at 11:52
As I said, service accounts cannot have aliases. If you want to avoid using the ugly autogenerated service account email, you could grant domain-wide authority to the service account and use it to impersonate a regular account you created for the purpose. From then on, all interactions with the API would be through the service account impersonating this regular account (in order to grant domain-wide authority, you would need to be a domain admin). Do you think this could be a good approach for a workaround? If that's the case, I'd be willing to post an answer to explain this in more detail. — Iamblichus, Aug 04 '20 at 10:15
@Iamblichus Sounds interesting. If you could explain a bit more that'd be very helpful, thanks! — Richard, Aug 04 '20 at 11:05
All right. Before posting this, could you please share the code you're using in order to authenticate with your service account, so that I can better understand your exact situation and can provide an updated code? — Iamblichus, Aug 04 '20 at 11:39
Richard, I've posted an answer. Let me know if that works for you. — Iamblichus, Aug 04 '20 at 14:13

score 3 · Accepted Answer · answered Aug 04 '20 at 14:13

Issue – Service accounts cannot have aliases:

Unlike regular accounts, service accounts cannot have aliases. Their email address is defined by:

The name of the corresponding project.
The name of the service account.

You cannot give it additional aliases.

Workaround – Impersonate a regular account:

If you want to avoid sharing the Google Sheets with the autogenerated service account email address, but you want to keep using the service account to interact with the API, your best option would be to share the Sheets with a regular account that has an acceptable email address, and use the service account to impersonate this regular account, when interacting with the API.

1. Delegating domain-wide authority:

One of the most useful things about a service account is that you can grant it the ability to impersonate any user in your domain and access data on behalf of it. This is called domain-wide delegation, and it can be activated for a service account by following these steps:

Important: You need to be an administrator of the G Suite domain in order to delegate domain-wide authority.

2. Impersonating:

At this point, your service account can impersonate any user in the account. To actually impersonate an account, you would just need to specify which account you want to impersonate when building the credentials.

In your specific case, you would need to provide the parameter subject when calling from_service_account_file, as you can see on the domain-wide delegation section of this page:

    credentials = service_account.Credentials.from_service_account_file(
        settings.GOOGLE_SERVICE_AUTH_FILE,
        scopes=scope,
        subject="your-account@your-domain.com"
    )

Reference:

Delegating domain-wide authority to the service account

It looks like I was mistaken and I actually don't have a "G Suite" account. So when I attempt to follow this step within 1. "From your G Suite domain’s Admin console, go to Main menu..", I'm greeted with this error message. "admin.google.com is used for G Suite accounts only. Regular Gmail accounts cannot be used to sign in to admin.google.com" Any idea on how to proceed? — Richard, Aug 04 '20 at 19:59
https://stackoverflow.com/a/45849773 Suggests I *need* a G-Suite account to do this. It's not the end of the world if I need to do that. — Richard, Aug 04 '20 at 20:06
@Richard sure, you need a G Suite account (actually, you need to be an administrator of a G Suite domain) for this to work! Domain-wide delegation means the service account can impersonate any user in your **G Suite domain**. — Iamblichus, Aug 04 '20 at 20:08
I was able to get this working by. 1. creating a GSuite account. 2. Iniviting that account to be an 'Owner'; on my existing Service Account. — Richard, Aug 04 '20 at 20:40