0

I have a service account that I have created in a project in GCP. This service account will then be provided access to different domains using Domain-wide Delegation.

When the Domain-wide Delegation is set up, I need to control scenarios where the correct scopes are not allocated to the service account. Is there a way that a service account can see what scopes it has access to?

The only way I can think of currently is just to try certain API calls to see if they return 403 or not, but that seems like a waste of an API call. I know when using OAuth2, you can call https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= to get the scopes, but I would need to know the customerID of the domain I am querying against. All of the API calls I plan on using will either be for a specific resource, or take a customerID parameter, so access could be different per domain.

If it's worth knowing, I am currently using the google-api-dotnet-client as it handles a lot of the authentication for me, but if this is easier to do in HTTPS calls then I'm happy to do that.

Update: Thought it might help to show an example of the code I am using to access the Google APIs, to show where I might run into issues. The code itself works fine, I am just trying to think about all possible scenarios where things could go wrong

string serviceAccountEmail = "";
string serviceAccountPrivateKey = "";

ServiceAccountCredential serviceCredential = new(new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
    Scopes = new[] {
        DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly
    },
    User = "" // This would be different per Google account I am accessing
}.FromPrivateKey(serviceAccountPrivateKey));

DirectoryService service = new(new BaseClientService.Initializer()
{
    HttpClientInitializer = serviceCredential
});

string customerId = ""; // This would be different per Google account I am accessing

// This could error if the DirectoryService.Scope.AdminDirectoryDeviceChromeosReadonly was not granted to the service account
var result = await services.Chromeosdevices.List(customerId).ExecuteAsync();
Steve Norwood
  • 363
  • 5
  • 19
  • Can you explain what you mean by `I need to control scenarios where the correct scopes are not allocated to the service account`? – Rafa Guillermo Feb 08 '22 at 13:56
  • I have a service account that has been created in GCP. I am then providing the ClientID of the service account to admins of third party domains that I require information from. I want to make sure I can detect scenarios where the admin of a domain sets up the Domain-wide Delegation incorrectly by not providing the required scopes. – Steve Norwood Feb 08 '22 at 15:24
  • A service account does not have OAuth scopes. Service accounts are assigned IAM roles to resources. Access Tokens created from service accounts can be limited by OAuth scopes. Domain Wide Delegation is used to impersonate users. In your second paragraph are you confusing OAuth scopes with IAM roles? If a service account has the correct IAM roles, it can read the project and/or resource bindings to determine what IAM roles are assigned to itself. However, you cannot remotely determine what scopes an Access Token has unless you have access to that token. – John Hanley Feb 08 '22 at 18:27
  • I think I understand what you need to do. There is a [method for "ServiceAccountCredentials"](https://googleapis.dev/java/google-auth-library/latest/com/google/auth/oauth2/ServiceAccountCredentials.html#getScopes--) to see the scopes that are available for a services account. You can also see the Google Documentation [here](https://cloud.google.com/java/docs/reference/google-auth-library/latest/com.google.auth.oauth2.ServiceAccountCredentials). – Giselle Valladares Feb 09 '22 at 01:24
  • @JohnHanley In Domain-wide Delegation in the Google Admin Console, you put in OAuth Scopes for the service account to access, so I don't think I'm confusing this at all... please let me know if this isn't correct though. I'm not directly assigning IAM roles to the service account because after investigating I could not restrict the roles to a degree that I was happy with, and I need to access different Google subscriptions, hence why Domain-wide Delegation seems to be the best way to go for me – Steve Norwood Feb 11 '22 at 09:09
  • @KarlaGiselleValladaresRivas there is something similar to this in the C# SDK, but unfortunately this just provides the scopes that I have provided when creating the ServiceAccountCredential object – Steve Norwood Feb 11 '22 at 09:15
  • 1
    @SteveNorwood I investigate and it seems that the only ones that can see the scopes granted to the user is if you have the roles these roles: "To manage access to projects," "To manage access to projects and folders," "To manage access to projects, folders, and organizations," or "To manage access to almost all Google Cloud resources." After that, you should be able to run a query of the scopes granted to a project. You can read this information [here.](https://cloud.google.com/iam/docs/granting-changing-revoking-access) – Giselle Valladares Feb 11 '22 at 17:05

0 Answers0