Re: Use Domain Wide Delegation with GKE workload i...

Ziu_ · 02-15-2024 12:37 AM

Hello,

I try to use the workload identity federation for GKE (https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) but I have an issue.

My app use the libray googleapis on NodeJS.

When I try to call the google translate API, bigQuery API there is no problem, but when I try to use the gmail API, I have the error "Check precondition failed".

If I use a keyfiles JSON with the same service account, all works but I need to precise a delegate user.

So, there is a way to use the Domain Wide Delegation with the workload identity or it's simply not possible ?

I don't see any options for generate a token with a delegated user and I thinks this is the cause of the error.

I'm in the same situation like this topic (https://stackoverflow.com/questions/71204604/can-gke-workload-identity-be-used-with-domain-wide-dele...)

Could you help me ?

Best regards

RonEtch

Hi @Ziu_

Welcome to Google Cloud Community!

Based on available docs regarding service accounts, it is possible to setup domain-wide delegation to a service account to impersonate any user in Cloud Identity or Google Workspace account.

Please note that Domain-wide delegation cannot restrict a service account to be used by a certain user on the Cloud Identity or Workspace account to impersonate (which includes super-admins), therefore service accounts could be target for a privilege escalation attacks.

If you wish to accomplish tasks using a service account and avoid such security risks, you can use Oath consent flow. If domain-wide delegation couldn't be avoided, you can, restrict the set of OAuth scopes that the service account can use. This only restrict the types of user data of which the service account could access.

I hope this information is helpful.

If you need further assistance, you can always file a ticket on our support team.

Use Domain Wide Delegation with GKE workload identity