This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Adding scopes to Cloud Run service account

Posted on 09-29-2023 07:15 PM
patrickeasters
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a Cloud Run service that I want to interact with the Google Workspace Admin API. I have an IAM service account setup for the service, but am having issues getting it to successfully authenticate to the Workspace Admin API.

I have domain-wide delegation configured for the service account to allow it access to the https://www.googleapis.com/auth/admin.directory.group.member scope it needs. The code works when I run locally logged in via the gcloud CLI. I did have to run "gcloud auth application-default login --scopes XXX" to explicitly add the directory API scope I need, but it works fine after doing that.

I am using the Go SDK if it makes a difference. So far I've tried explicitly specifying a scope when creating the client, but it didn't seem to make a difference.

admin.NewService(context.TODO(), option.WithScopes("https://www.googleapis.com/auth/admin.directory.group.member"))

I see an option to add scopes to a GCE instance's service account using the gcloud CLI, but haven't had any luck finding the equivalent on Cloud Run.

    gcloud compute instances set-service-account INSTANCE_NAME [--zone=ZONE]
        [--scopes=[SCOPE,...] | --no-scopes]
        [--service-account=SERVICE_ACCOUNT | --no-service-account]
        [GCLOUD_WIDE_FLAG ...]

Any thoughts on how to add scopes to the service account running a Cloud Run service? I really want to try and use native IAM and not pass in static credentials, but will resort to that if I have to.

0 3 2,563
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
julien_bisconti
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

Hi patrickeasters,

I'm not very familiar with the Workspace Admin SDK. I don't know the correct answer but I'm pretty sure that it has to do with OAuth and getting a JWT from GCP to Workspace.

From the links below:

 

Note: Although you can use service accounts in applications that run from a Google Workspace domain, service accounts are not members of your Google Workspace account and aren't subject to domain policies set by Google Workspace administrators.

 

https://developers.google.com/identity/protocols/oauth2#serviceaccount

https://developers.google.com/identity/protocols/oauth2/service-account

To store credentials, secret manager is very well suited for that. I usually store the OAuth credentials there and load them with the Cloud Run integration to secret manager.

 

Sorry for not being able to help more,

Julien

0 Likes

Posted on --/--/---- --:-- AM
patrickeasters
Bronze 1
Bronze 1
In response to julien_bisconti
Reply posted on --/--/---- --:-- AM

Thanks! Something you said gave me a lightbulb moment. I found a StackOverflow example of using domain-wide delegation and reading through that code made it dawn on me that I don't actually need domain-wide delegation for my use case. GCP service accounts can be granted Workspace roles like Group Admin, so there's no real need to impersonate a user to manage group membership.

I added the service account as a Groups Admin directly and my Cloud Run service worked with no code changes. 

But, if the need to impersonate a user does arise, the post I linked above seems to be a decent example of how to use default credentials to get a token scoped to an impersonated user.

0 Likes

Posted on --/--/---- --:-- AM
julien_bisconti
Google Developer Expert
Google Developer Expert
In response to patrickeasters
Reply posted on --/--/---- --:-- AM

glad it helped 😄 

0 Likes