Domain-wide delegation with impersonation

Question

My scenario involves two service accounts, namely S1 and S2. S2 was granted domain-wide access to a Google Workspace.

I'd like to have S1 impersonate S2 (already have the "Service Account Token Creator role" on S1) and use its permissions to retrieve some information regarding Google Workspace using S2's access.

Is it possible to delegate authority to S1?

Edit: Johannes Passing solution did the trick, still feels like somewhat of a workaround, opened an issue on google-api-dotnet-client to add such a functionality.

Answer 1

Yes, that's possible if S2's client ID has been configured for domain-wide delegation:

1. Create a JWT assertion with:
   • iss set to S2's email address
   • sub set to the Workspace user's email address
   • scope set to the scopes you whitelisted for S2's client ID and domain-wide delegation
2. As S1, call projects.serviceAccounts.signJwt on S2 to sign the assertion with S2's key. As a result, you get a signed JWT assertion. For this to work, S1 must have the Service Account Token Creator role on S2.
3. Post the assertion to https://oauth2.googleapis.com/token. As a result, you get an access token for the Workspace user.