If I turn on the Organization Policy constraint "Domain Restricted Sharing" (doc) and set it to allow only my org domain foo.com, will this prevent the slew of platform service accounts from getting their IAM permissions granted? For instance, accounts in the domain @iam.gserviceaccount.com or @developer.gserviceaccount.com. These service accounts get provisioned and given permissions all over the place. My worry is that enabling "Domain Restricted Sharing" will block these accounts from having IAM access.
Another way to ask this is: does "Domain Restricted Sharing" ignore these sorts of platform-based service accounts? If it doesn't, I feel like it would be difficult to maintain a list of exceptions.
A more fundamental question - does "Domain Restricted Sharing" only apply to Cloud Identity / Google Workspace accounts, and is hence not relevant when it comes to service accounts?
In this answer I am using the term Google Cloud Identities meaning identities such as service accounts, service agents, etc. that are created by Google Cloud and not by other Google services such as Gmail.
If turn on the Organization Policy constraint "Domain Restricted Sharing" ...
Yes, if the IAM service accounts are children of an organization resource associated with the given Google Workspace domain.
A more fundamental question - does "Domain Restricted Sharing" only apply to Cloud Identity / Google Workspace accounts, and is hence not relevant when it comes to service accounts?
Domain Restricted Sharing applies to all non Google Cloud Identities such a Google Workspace, Cloud Identity and Gmail style accounts. You can define members of a domain managed/controlled by Google Workspace as being allowed ([email protected]) while identities that are not part of that domain ([email protected]) are blocked.
At this time, only domains managed by Google Workspace are supported. Cloud Identity is not supported for specifying an allowed domain unless the domain name is also the organization name. (Note: I cannot find an authoritative reference for this statement and this may change in the future).