This package provides basic instruction and code snippets (in python), to help users manage access to Google's Admin SDK using GCE's service account identity.
When developing code locally (i.e. laptop), best practice is to use a service account key to access GCP resources. Through domain-wide delegation of authority, the service account can impersonate other G Suite users, and gain access to Google Admin SDK APIs. Using a service account key allows the developer to call the with_subject function (of the oauth2 module), and assume the delegated role for Admin SDK access. But when running on GCE, there is no with_subject method, as it's not a part of the google.auth package. This causes heartache, as one strives for a single code base that runs both locally, and on GCE. (See googleapis/google-auth-library-python#310).
Building upon a function from Forseti Security, main.py provides an example creating credential object(s) with authorization to the Admin Directory API, using service account key file or a GCE service account identity.
The solution relies on domain-wide delegation of authority. Following this process, a Service Account gets created with delegated access enabled, and then a defined set of scopes allowed for the service account's clientId. Only users (delegated subjects) with access to the Admin APIs can access Admin SDK Directory API. In this example, we recommend creating a unique user account for delegated access, and attaching a custom AdminRole that grants admin.directory.group.readonly
only (least privileged access).
NOTE: The delegated subject must have logged in at least once and accepted the G Suite Terms of Service
For the service account to be a signer
, it requires the roles/iam.serviceAccountTokenCreator
on itself. Yes, it needs to permissions to perform actions on itself. Through the console, select IAM & admin -> Service accounts, find the service account that you plan to use for these tests, and check the checkbox. On the right, under permissions, click Add Member, and add the service account name, and select the Role -> Service Accounts -> Service Account Token Creator. Below is an example of what the minimum policy should look like.
$ gcloud iam service-accounts get-iam-policy demigod@example.iam.gserviceaccount.com
bindings:
- members:
- serviceAccount:demigod@example.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
The delegated subject should be a G Suite "headless user"; Or a user that will never log in after the initial log on to accept the G Suite Terms. There are a few important properties of this user that should be set.
-
Directory sharing (under User Information) - Best to turn off (Optional)
-
Admin roles and privileges - First go to Admin roles, and create a role with Admin API Privileges Group Read Only. Then attach this role to the user.
The permission model consists of three different components, and as shown in the figure below, requests will only be authorized (ALLOW) in the union space.
```
GROUP_READ_SCOPES = [
'https://www.googleapis.com/auth/admin.directory.group.readonly'
]
admin_creds = credentials.with_subject(subject).with_scopes(GROUP_READ_SCOPES)
```
$ cd <project-directory>
$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip install -r requirements.txt
$ ./main.py --group bears@example.com --delegated-subject axe@example.com
- Add support for CloudFunctions