More specific API Scope for PAM API?

antoinelefebvre · 12-30-2024 03:27 AM

Hello,

We would like to build an application that will be run by a service account with Domain Wide Delegation to act as users in our organisation.
More specifically the SA will use the PAM (Privileged Access Manager) API to grant temporary elevated permissions to users.
From what I could see, the scope required for this API is : "https://www.googleapis.com/auth/cloud-platform" which is actually a scope used by many GCP APIs.
Is there a more specific role that could only allow the SA to access the PAM API?

Thanks.

greb

Hi @antoinelefebvre,

Welcome to Google Cloud Community!

To securely use a service account (SA) with Domain-Wide Delegation for the PAM API, you can limit its permissions by creating a custom IAM role.

Here’s how you might settle it:

Custom Role: Create a custom role with only the PAM-related permissions, like roles/iam.pamRoleManager or roles/iam.pamUser. This ensures the SA has access only to what’s necessary.
Scope: Use the https://www.googleapis.com/auth/cloud-platform scope when calling the API. The scope is broad, but the custom role will restrict what the SA can actually do.
Test and Monitor: Validate the setup and monitor the SA’s activity using Cloud Audit Logs to ensure everything is secure.

This approach may enforce least privilege while allowing the SA to interact with the PAM API safely..

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

antoinelefebvre

Hi Greb,
Thanks for your reply!
We are going to test this. I'll let you know how it goes!

antoinelefebvre

Hello again,
From what we saw, the Custom Role is not required. Indeed with the delegation, the Service Account that impersonates the User has access to all the roles given to the user itself.
So my understanding is that the SA will be able to use any API under the cloud-platform scope that the impersonated user can access.