play-googleauth icon indicating copy to clipboard operation
play-googleauth copied to clipboard
verified publisher icon guardian

Is Service Account delegation/impersonation necessary to access the Admin SDK Directory API?

Open rtyley opened this issue 2 years ago • 0 comments

The brilliant documentation added in PR https://github.com/guardian/play-googleauth/pull/29 back in October 2015 added these really useful lines:

As explained in the Google documentation about Domain-Wide delegation of authority:

Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API.

You can see us doing that with createDelegated() here (delegating to [email protected]):

https://github.com/guardian/play-googleauth/blob/60bcc8c69aa60c9bd78eef20ebb97a30d35c1adc/play-v27/src/main/scala/com/gu/googleauth/groups.scala#L71-L73

...but is delegation/impersonation still necessary?

https://github.com/guardian/pan-domain-authentication/blob/0854755c6093f95a731e697b558813b5c51623de/pan-domain-auth-core/src/main/scala/com/gu/pandomainauth/service/Google2FAGroupChecker.scala#L24-L30

rtyley avatar Nov 23 '23 12:11 rtyley