Domain-wide delegation with impersonation

service-accounts google-workspace google-api-dotnet-client

My scenario involves two service accounts, namely S1 and S2. S2 was granted domain-wide access to a Google Workspace.

I'd like to have S1 impersonate S2 (already have the "Service Account Token Creator role" on S1) and use its permissions to retrieve some information regarding Google Workspace using S2's access.

Is it possible to delegate authority to S1?

Edit: Johannes Passing solution did the trick, still feels like somewhat of a workaround, opened an issue on google-api-dotnet-client to add such a functionality.


Yes, that's possible if S2's client ID has been configured for domain-wide delegation:

  1. Create a JWT assertion with:
    • iss set to S2's email address
    • sub set to the Workspace user's email address
    • scope set to the scopes you whitelisted for S2's client ID and domain-wide delegation
  2. As S1, call projects.serviceAccounts.signJwt on S2 to sign the assertion with S2's key. As a result, you get a signed JWT assertion. For this to work, S1 must have the Service Account Token Creator role on S2.
  3. Post the assertion to https://oauth2.googleapis.com/token. As a result, you get an access token for the Workspace user.

Related

IdentityServer4 always returning "error": "invalid_scope"
How To Add extra String "Names" in a String Array?
Laravel Migration to change table name
Can't detach network interfaces
How to add a new user with its own directory and shell Debian [closed]
PHP inserting string issue
constexpr position in variable declaration
Check if datetime is in hour range
whenever I use pip installer I get this error on my Mac terminal [duplicate]
Vim Adventures level 10
How does marking work in MGS 5?
How to supply a piston feed tape from a large cube of blocks