hermes icon indicating copy to clipboard operation
hermes copied to clipboard
verified publisher icon hashicorp-forge

Feature Request: Support Service Account Access Scoped to a Single Shared Drive (No Domain-Wide Delegation)

Open abebars opened this issue 5 months ago • 1 comments

Context

Hermes’ production documentation currently recommends using a Google Workspace Service Account with Domain-Wide Delegation (DWD) for Drive, Docs, Gmail, and Directory operations. This approach enables full “as-user” attribution for API-driven actions but also grants the service account the ability to impersonate any user in the domain for the approved scopes.

For some deployments, DWD introduces security and compliance concerns because it significantly increases the blast radius if the service account credentials are compromised.

Problem

There is currently no documented or supported way to run Hermes in production using a service account without Domain-Wide Delegation while still leveraging Google Drive as the storage backend. Organizations seeking a more restrictive security posture may prefer to scope a service account’s access to a single Shared Drive instead of the entire domain.

Potential Feature

Introduce support for running Hermes with:

  • A service account that does not use Domain-Wide Delegation.

  • The service account was added as a member of a specific Shared Drive that contains the Shortcuts, All Documents, and Drafts folders.

  • Drive API calls updated to be Shared Drive–aware by including:

    • supportsAllDrives=true
    • includeItemsFromAllDrives=true (for list/search)
    • corpora=drive and driveId=<configured_drive_id> (for list/search and create)

This would allow Hermes to operate within a confined scope while preserving existing workflows, with the trade-off that API actions would be attributed to the service account rather than the individual user.

Questions for Maintainers

  • Would support for a “Service Account without DWD” mode be acceptable as an optional configuration in Hermes?
  • Are there any known workflows or features that require impersonation (subject) for correctness?
  • Would it make sense to make this the default behavior when no subject is provided in the google_workspace configuration?

abebars avatar Aug 10 '25 18:08 abebars

FYI @ian-d @psaia

abebars avatar Aug 10 '25 18:08 abebars