Search code examples
node.jsgoogle-cloud-platformoauth-2.0google-admin-sdkgoogle-developers-console

Access the Google Workspace Admin SDK with out domain-wide delegation?

I'm trying to write a server application, using NodeJS, that accesses the Admin-SDK of our Google Workspaces (G-Suite) account. All the tutorials I've found so far describe the following process:

  1. Setup a project in the console and enable the desired APIs, such as the Admin SDK API.
  2. Create a service account in the GCP project.
  3. Enable G Suite Domain-wide Delegation for the service account
  4. Create an G-Suite admin account. Let's call it admin@mycompany.com
  5. Use the service account to impersonate the admin account when making requests to the API.

So accessing the Directory API might look something like this:

const serviceAccountEmail = "gcp-service-account@gcp-project.iam.gserviceaccount.com";
const privateKey = "-----BEGIN PRIVATE KEY-----....";
const scopes = ['https://www.googleapis.com/auth/admin.directory.group'];
const adminEmail = "admin@mycompany.com";

const auth = new google.auth.JWT(
    serviceAccountEmail,
    null,
    privateKey,
    scopes,
    adminEmail,
    );

const admin = await google.admin({
        version: 'directory_v1',
        auth,
    });

The following note is displayed next to the Enable G Suite Domain-wide Delegation check box on the service account:

Allows this service account to be authorized to access all users' data on a G Suite domain without > manual authorization on their parts. Learn more

Maybe I'm not understanding this correctly, but isn't this incredibly permissive and a serious violation of the principle of least privilege? I understand that my application needs to authenticate as the admin@mycompany.com admin account, but is there a way to restrict it to just this account instead of "all users' data on a G Suite domain".

Solution

  • The service account only has access to whatever is shared with the account, as per Delegating domain-wide authority to the service account:

    an administrator of the G Suite domain can authorize an application to access user data on behalf of users in the G Suite domain.

    This means that the service account only has access to data from the account the application is impersonating.

    You are responsible for your Security Account

    You could, for example, implement a check to allow impersonating accounts for a specific Organizational Unit, but all these checks must be done at application level.

    With your Service Account you could for example check what Organizational Unit the impersonating account belongs to. If the check is successful you could proceed to impersonate this account with a domain-wide delegated Service Account and perform the needed action.

    Alone, Domain-wide Delegation is indeed a very powerful feature that allows apps to access users' data across your organization's entire G Suite account. It's your responsibility as a super-admin account to manage this properly and securely.

    References

    Delegating domain-wide authority

    Control Domain-wide Delegation