Identity pool credentials and domain-wide delegation

[nandanrao]

I have a identity_pool.Credentials object that works great, achieved via identity federation, but I need a service_account.Credentials object which contains the logic for impersonating a user via domain-wide delegation.

This seems like a reasonable problem and I can't find documentation anywhere, so not sure if it's possible. Should be related to #930, as the identity pool credentials are impersonating a service account.

I am trying to set up programatic access to Google Workspace does not allow sharing within Drive with external domains, thus I need to use domain-wide delegation to grant access to the Drive API. This works perfectly when using a fixed set of service-account keys.

However, I am trying to set up access to Google Drive from an external Kubernetes cluster (AWS EKS) with OIDC set up for role-based access control. I would like to delegate the credential management to the OIDC provider to avoid needing to rotate service account secrets manually. This was straight-forward to set up until it came time to use domain-wide delegation.

[busunkim96]

Hi @nandanrao,

After reading over #930 and https://cloud.google.com/architecture/identity/best-practices-for-federating#limit_the_number_of_service_users_in_g_suite_and_cloud_identity I don't believe this is possible at the moment. @arithmetic1728 PTAL when you get the chance.

[arithmetic1728]

I don't think domain wide delegation is supported for impersonation at the moment. Closing the issue.

[xanjay]

Is this feature available now?