Hi all,

I'm following Google's documentation to ingest google workspace alerts via the Feed method. However i try to follow the principal of least privilege for the impersonation account. The documentation is a bit contradictive in my opinion due to the following:

1. A custom role needs to be created for the impersonation account (for google workspace alerts that should be: Privileges > Services > Alert Center > Full Access > View access)
2. But then it is still required to assign the super admin role to the impersonation account (making the custom role obsolete).

I performed troubleshooting with and without the super admin role & custom role and this results in the fact that the account really does need the super admin role to fetch alerts from alert center. See here an overview for reference:

1: API call without custom role and without super admin role: HTTP 403 Forbidden
2: API call with custom role but without super admin role: HTTP 200 + exit code 0 but does NOT fetch alerts.
3: API call with custom role AND super admin role (making custom role obsolete though): HTTP 200 + results > does fetch alerts.

Any guidance or tips to configure a (POLP) custom role without assigning the super admin role to the impersonation account? Thanks in advance.

Documentation reference: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs#before-you-...