GAM icon indicating copy to clipboard operation
GAM copied to clipboard
verified publisher icon GAM-team

Make it easier to choose minimal DwD scopes as well as subscopes

Open jay0lee opened this issue 10 months ago • 4 comments

Today the command

gam user <email> check serviceaccount

expects the admin user to grant GAM ALL API scopes. If a given scope is skipped or not given GAM calls that a FAIL and directs the admin to give it additional access. This is against the principal of least privilege.

In an ideal world:

  • GAM would prompt the admin during setup to choose which commands / APIs / scopes (which makes most sense from admin perspective here?) they wish to use.
  • GAM would not request scopes or permissions it does not need to do what the admin wants to do.
  • If the admin decides to run a command that needs permissions / scopes the admin did not grant GAM would handle that gracefully:
  • BAD fail with ambiguous error message that leaves the admin wondering why GAM isn't working
  • GOOD fail with an error message that directs admin to grant GAM the additional scopes / permissions it needs.
  • BEST hold admin's hand and guide them through the permissions / scope upgrade (while making it clear to admin they are given GAM more powers and introducing new risk).

jay0lee avatar Feb 09 '25 18:02 jay0lee

Try: gam user update serviceaccount

Ross Scroggs @.***

On Feb 9, 2025, at 10:35 AM, Jay Lee @.***> wrote:

Today the command

gam user check serviceaccount expects the admin user to grant GAM ALL API scopes. If a given scope is skipped or not given GAM calls that a FAIL and directs the admin to give it additional access. This is against the principal of least privilege https://en.wikipedia.org/wiki/Principle_of_least_privilege.

In an ideal world:

GAM would prompt the admin during setup to choose which commands / APIs / scopes (which makes most sense from admin perspective here?) they wish to use. GAM would not request scopes or permissions it does not need to do what the admin wants to do. If the admin decides to run a command that needs permissions / scopes the admin did not grant GAM would handle that gracefully: BAD fail with ambiguous error message that leaves the admin wondering why GAM isn't working GOOD fail with an error message that directs admin to grant GAM the additional scopes / permissions it needs. BEST hold admin's hand and guide them through the permissions / scope upgrade (while making it clear to admin they are given GAM more powers and introducing new risk). — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1748, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLYTBEPNARKUC65KL5L2O6NWTAVCNFSM6AAAAABWZC42YOVHI2DSMVQWIX3LMV43ASLTON2WKOZSHA2DAOBXGEZDSNQ. You are receiving this because you are subscribed to this thread.

taers232c avatar Feb 09 '25 18:02 taers232c

This is less about "what's possible" and more about "this is the default flow every admin follows". It's not OK that the vast majority of GAM admins just give GAM unlimited powers and then only ever use a small fraction of those powers. It's a security risk that can and should be mitigated with more limited GAM privileges.

jay0lee avatar Feb 09 '25 18:02 jay0lee

We could make check serviceaccount an synonym of update serviceaccount..

The initial update serviceaccount could default to no/minimal scopes and allow choosing categories.

I've cleaned up the error handling. $ gam user testsimple show youtubechannels

ERROR: API access Denied Please make sure the Service Account Client ID: 115299222032463364422 is authorized for the appropriate API or scopes: Youtube API

Run: gam user @.*** update serviceaccount

I'll keep thinking about this and caledar

Ross

Ross Scroggs @.***

On Feb 9, 2025, at 10:35 AM, Jay Lee @.***> wrote:

Today the command

gam user check serviceaccount expects the admin user to grant GAM ALL API scopes. If a given scope is skipped or not given GAM calls that a FAIL and directs the admin to give it additional access. This is against the principal of least privilege https://en.wikipedia.org/wiki/Principle_of_least_privilege.

In an ideal world:

GAM would prompt the admin during setup to choose which commands / APIs / scopes (which makes most sense from admin perspective here?) they wish to use. GAM would not request scopes or permissions it does not need to do what the admin wants to do. If the admin decides to run a command that needs permissions / scopes the admin did not grant GAM would handle that gracefully: BAD fail with ambiguous error message that leaves the admin wondering why GAM isn't working GOOD fail with an error message that directs admin to grant GAM the additional scopes / permissions it needs. BEST hold admin's hand and guide them through the permissions / scope upgrade (while making it clear to admin they are given GAM more powers and introducing new risk). — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1748, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLYTBEPNARKUC65KL5L2O6NWTAVCNFSM6AAAAABWZC42YOVHI2DSMVQWIX3LMV43ASLTON2WKOZSHA2DAOBXGEZDSNQ. You are receiving this because you are subscribed to this thread.

taers232c avatar Feb 09 '25 19:02 taers232c

"We could make check serviceaccount an synonym of update serviceaccount.."

Let's do this.

"The initial update serviceaccount could default to no/minimal scopes and allow choosing categories."

This may make it overly difficult for new admins setting up GAM to decide what they want but I think just the above will help admins at least know they have ability to choose least privilege when they want to.

jay0lee avatar Jun 09 '25 15:06 jay0lee